Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Permissions Are Affected After You Demote a Domain Controller
Article ID: 320230 - View products that this article applies to.
This article was previously published under Q320230
After you demote a domain controller, domain local groups are not used to provide access to local resources. Note that this behavior only applies to domains that are in Mixed mode. The local group may still be displayed in the access control list (ACL). However, it cannot be used for authorization, and cannot be added to any other ACLs. When a user whose access has been defined by using a domain local group tries to use resources on the demoted server, the user may receive an "access denied" error message (or equivalent error messages).
In mixed mode, the scope of the domain local group is the domain controllers. When a domain controller is demoted, it falls out of the scope of this group type. Even though the group SID remains in the ACL and can be resolved, they cannot be used for granting access. The reason is that the domain local group is not in the access token of users that are logged on to member computers. This only occurs when the domain is in Native mode.
To work around this behavior, use any of the following methods:
When you use Windows 2000 Server and Windows 2000 Advanced Server in Mixed mode, the boundaries for domain local groups are the domain controllers for the current domain. The local groups can only be used to assign Windows NT File System (NTFS) permissions or share permissions, for example, on domain controllers for the current domain.
When a domain controller is demoted, the SIDs of the local groups remain in the access control lists, and can still be resolved to their friendly names. However, after the demotion, they cannot be used for authorization. Also, they cannot be added to either file or share permissions until the domain is switched to Native mode.
Switching the domain to Native mode provides the group flexibility to add domain local groups to the resources on non-domain controllers. For Windows 2000, this rule applies to Windows 2000 domain controllers that have been demoted and to Windows NT 4.0 domain controllers that have been upgraded and left as member servers during the upgrade process. For additional information about domain local groups, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/259392/EN-US/ )Domain Local Group Scope in Windows 2000 Domain Operation Modes
Article ID: 320230 - Last Review: March 2, 2007 - Revision: 5.3