This article was previously published under Q257942
This article has been archived. It is offered "as is" and will no longer be updated.
When you are trying to add users from a Windows 2000-based domain to an access control list (ACL) or group on a Windows NT 4.0-based system, the list of users may not be enumerated and you may receive the following error message:
Unable to browse the selected domain because the following error occurred: Access is denied.
This issue occurs when a Windows NT 4.0-based system attempts or enumerate the list of users from a Windows 2000-based domain. Windows NT 4.0 first attempts to connect to the Windows 2000-based domain controller with the account used to log on to the Windows NT 4.0-based system. If this account is not a member of the Windows 2000-based domain or trusted domain, the connection does not succeed. Windows NT 4.0 then tries a null connection, and this also does not succeed.
This is expected behavior if, when you promote the Windows 2000-based domain controller, you specify the following option during the Dcpromo process:
Permissions compatible only with Windows 2000 servers
Select this option if you run server programs only on Windows 2000 servers that are members of Windows 2000 domains. Only authenticated users can read information on this domain.
To resolve this issue, add the Everyone group to the "Pre-Windows 2000 Compatible Access" group on the Windows 2000-based domain controller, and then reboot the domain controller.
To make the change, run the following command from a command prompt. Run the command as specified, including the quotation marks. The quotation marks are necessary because the target group name contains spaces.
To add the Everyone group:
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
For additional information about this group and its functionality, please see the following article in the Microsoft Knowledge Base:
NOTE: You have to make sure that you reboot all the domain controllersafter adding the everyone group in the "Pre-Windows 2000 Compatible Access"otherwise it will not take affect. Also remember that if you only reboot the DC that you do it on, only that DC will be affected unless you alsoreboot rest of the DCs in the domain.