Windows NT 4.0-Based Domain Users and Groups Are Displayed Slowly on Windows 2000-Based Computers

This article was previously published under Q256641
This article has been archived. It is offered "as is" and will no longer be updated.
The enumeration of users and groups for the following operation takes 10-30 minutes, depending on the number of users and groups (also known as security principals) in the specified domain, increases CPU usage on the primary domain controller of the specified domain by 70-90 percent until all security principals have been enumerated, and consumes 10-30 MB of network bandwidth depending on the size of the accounts database on the specified Windows NT 4.0-based domain:
  • Defining group membership, such as adding a domain user to the local Administrators group on a member workstation
  • Setting permissions for users and groups on files and folder shares
  • Setting permissions for users and groups on keys in the Windows NT registry
  • Enabling an audit trail for object access by users and groups
  • Listing users and groups from Windows NT 4.0 source domains for migration in the Active Directory Migration tool
Also, if Object Access success auditing is enabled on domain controllers, when you try to add a user to an ACL on the Windows 2000 computer, 560 and 562 audit events are logged for each non-built-in user account in the domain.
This problem can occur because the Windows 2000-based computer obtains detailed information for every user in the Windows NT 4.0-based domain.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

To work around this problem for domain membership, use command-line equivalents. Windows 2000-based domain computers use the Lightweight Directory Access Protocol (LDAP) and are less susceptible to this problem when a system policy is used to limit the number of objects returned to the object picker. For example, to add a domain user account to the local Administrators group on a member workstation or server in a domain, use the following command:
net localgroup groupnameaccountname /add
If command-line equivalents are not available or practical, manually type the appropriate accounts in the object picker dialog box, and then click OK to stop the enumeration of security principals between the client and server.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Windows 2000 Service Pack 1.

Article ID: 256641 - Last Review: 10/20/2013 18:08:58 - Revision: 3.3

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • kbnosurvey kbarchive kbhotfixserver kbqfe kbaudit kbbug kbfix kbqfe kbwin2000sp1fix KB256641