Domain Local Group scope in Windows 2000 domain operation modes
This article was previously published under Q259392
This article has been archived. It is offered "as is" and will no longer be updated.
This article explains the scope of the Active Directory Domain Local Group in a Windows 2000 domain and how the Domain Local Security Group scope is applied in an access token associated with a logged on user.
A Windows 2000 domain that is operating in mixed mode can have Microsoft Windows NT 4.0 Backup Domain Controllers (BDCs) as members of the domain. However, a Windows 2000 domain that is operating in native mode cannot have Microsoft Windows NT 4.0 BDCs as members of the domain. If a Windows 2000 domain is operating in mixed mode, the scope of a Domain Local Group is within the set of domain controllers only. The domain controllers include Windows 2000 domain controllers as well as Windows NT 4.0 BDCs. The Windows 2000 Domain Local Group Scope behaves similarly to the Windows NT Local Group in mixed mode. If the Windows 2000 domain is operating in native mode, the scope of a Domain Local Group is within all the members of the domain.
Active Directory groups can be either security or distribution groups. Only security groups listed in Access Control Lists (ACLs) can be used to secure resources and objects. Distribution groups are not security enabled. The access control functions allow any valid group SID to be specified in an Access Control Entry (ACE). However, the token that is generated by the system for a logged on user has only security groups.
In a Windows 2000 domain that is operating in mixed mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user will not have Domain Local Security Group in TOKEN_GROUPS.
In a Windows 2000 domain that is operating in native mode, if a domain user logs in who is a member of a Domain Local Security Group, the token that is generated for the logged on user has Domain Local Security Group in TOKEN_GROUPS.
For detailed information about Active Directory Groups and what type of groups to use, refer to the Active Directory, ADSI, and Directory Services topic in the Microsoft Platform Software Development Kit (SDK) or MSDN documentation under Networking and Directory Services.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
101471 Local and global groups in Windows NT and Advanced Server
Article ID: 259392 - Last Review: 02/28/2014 00:32:06 - Revision: 5.1
Microsoft Win32 Application Programming Interface
- kbnosurvey kbarchive kbacl kbapi kbinfo kbkernbase kbsecurity KB259392