This step-by-step article describes how the Pre-Windows 2000 Compatible Access group is used, why it is needed in a mixed-mode domain, and how to set up the group by using the Active Directory Users and Computers snap-in and command line.
Setup procedures that you run in the graphical user interface (GUI) are done by a member of the domain administrators group on a domain controller (DC) that is running Windows 2000 in a mixed-mode environment.
Setup procedures that you run at a command prompt are done by a member of the domain administrators group on a DC that is running Windows NT 4.0 RAS (or RRAS) server in a mixed-mode environment.
Set Up the 2000 Compatible Access Group in the Active Directory Users and Computers Snap-in
By default, the Everyone special group is a member of the Pre-Windows 2000 Compatible Access group. This enables any RAS caller to be authenticated by the Windows NT 4.0 RAS server. If the Everyone special group has been deleted from the Pre-Windows 2000 Compatible Access:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- In the console tree, click the server you want to work with.
- In the console tree, click the BUILTIN folder.
- In the Details pane, right-click the Pre-Windows 2000 Compatible Access group, and then click Properties.
- On the Members tab, click Add.
- In the Select Users, Contacts, Computers or Groups dialog box, click the Domain Users group, click Add, and then click OK.
- After you verify that the group has been added, click OK.
Set up the 2000 Compatible Access Group at the Command Line
Adding the Everyone special group can only be done at a command prompt. However, in the GUI, you can add the Domain Users group, and adding that group to the Pre-Windows 2000 Compatible Access group has almost the same effect because the Domain Users group is normally the largest and broadest group of users. The Windows NT 4.0 RAS or RRAS server requires a reboot. After the reboot, all domain users can be authenticated by the RAS or RRAS server.
- Click Start, and then click Run.
- Type cmd, and then click OK.
- At the command prompt, type net localgroup "Pre-Windows 2000 Compatible Access" everyone /add, and then press ENTER.
- Type exit, and then press ENTER.
Because servers must be restarted after you use these procedures, you should do so when network traffic is the lightest.
For additional information about the possible vulnerabilities can occur when you add the Everyone special group to the Pre-Windows 2000 Compatible Access group, click the following article number to view the article in the Microsoft Knowledge Base:
Using Windows NT 4.0 RAS Servers in a Windows 2000 Domain
Article ID: 303973 - Last Review: November 1, 2006 - Revision: 3.1
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
|kbhowto kbhowtomaster KB303973|