Some server programs, such as Windows NT Remote Access Service, read information stored on domain controllers.
--> Permissions compatible with pre-Windows 2000 servers
Select this option if you run server programs on pre-Windows 2000 servers or on Windows 2000 servers that are members of pre-Windows 2000 domains.
Anonymous users can read information on this domain.
--> Permissions compatible only with Windows 2000 servers
Select this option if you run server programs only on Windows 2000 servers that are members of Windows 2000 domains. Only authenticated users can read information on this domain.
The effect of nesting the Everyone group is to either allow or disallow anonymous (null) connections. Microsoft Windows NT 4.0 clients use null connections to perform various actions. Without the Everyone group nested, certain Windows NT 4.0 null credential actions do not work.
If the the option you choose during Dcpromo is not the option you want to use later, you can reverse it. To reverse the choice, either add or remove the Everyone group from the built-in Pre-Windows 2000 Compatible Access group. You cannot perform this action by using the Active Directory Users and Computers snap-in.
To make the change, run one of the following commands from a command prompt. Run the commands as specified, including the quotation marks. The quotation marks are necessary because the target group name contains spaces.
To add the Everyone group:
NOTE:You have to make sure that you reboot all the domain controllers after adding or removing the everyone group in the "Pre-Windows 2000 Compatible Access" otherwise it will not take affect. Also remember that if you only reboot the DC that you do it on, only that DC will be affected unless you also reboot rest of the DCs in the domain.
Article ID: 257988 - Last Review: Mar 1, 2007 - Revision: 1