This article was previously published under Q316733
This article has been archived. It is offered "as is" and will no longer be updated.
If you remove a user from a different domain (in the same forest) from a domain local group, and if the domain controller on which you perform the removal operation is not a global catalog, the event is audited by Security Accounts Manager (SAM).
Note that SAM auditing must be turned on. For example, the audit policy on the domain controller must include the "Audit Account Management" policy. This is not the same as the "Audit Directory Service Access" policy, which audits the fact that the group object has been modified.
On domain controllers that are not global catalogs, references to users from other domains are stored by using phantoms. For example, if you add a user from another domain to a group, a phantom is created to represent the user so that the membership attribute can link to it in the local database (DIT).
If you are auditing removal from a group, SAM requires information about the user who is being removed. A phantom contains all of the information that is required for the audit (it contains the SID, GUID, and DN), but SAM does not use this information, or permit a network call to be placed to obtain the information from a global catalog.
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later: