Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Permissions Are Affected After You Demote a Domain Controller

View products that this article applies to.

This article was previously published under Q320230

↑ Back to the top


After you demote a domain controller, domain local groups are not used to provide access to local resources. Note that this behavior only applies to domains that are in Mixed mode. The local group may still be displayed in the access control list (ACL). However, it cannot be used for authorization, and cannot be added to any other ACLs. When a user whose access has been defined by using a domain local group tries to use resources on the demoted server, the user may receive an "access denied" error message (or equivalent error messages).

↑ Back to the top


In mixed mode, the scope of the domain local group is the domain controllers. When a domain controller is demoted, it falls out of the scope of this group type. Even though the group SID remains in the ACL and can be resolved, they cannot be used for granting access. The reason is that the domain local group is not in the access token of users that are logged on to member computers. This only occurs when the domain is in Native mode.

↑ Back to the top


To work around this behavior, use any of the following methods:
  • Change the domain mode to Native mode to expand the scope of groups to all domain members. Note that this also prevents Windows NT 4.0 backup domain controllers from replicating. In Windows Server 2003, Windows NT 4.0 is not supported in the Windows 2000 functional level. Only Windows 2000 and Windows 2003 are supported at the Windows 2000 functional level.
    Note By default, domains in a Windows Server 2003 environment operate at the Windows 2000 mixed functional level. At this level, Windows NT 4.0, Windows 2000, and the Windows Server 2003 family are all supported.
  • Create a new local group (or domain global group), and then use the Active Directory Migration tool version 2 to translate the references from the domain local group to the newly-created group. You can do so by using the Security Translation feature with a SID mapping file. The SID mapping file contains the SID from the domain local group and the SID for the replacement group. The Active Directory Migration tool searches and replaces (or adds) the old SID with the new one.
  • You can use the Subinacl tool from the Microsoft Windows NT Resource Kit.

    For more information, visit the following Microsoft Web site:

↑ Back to the top


This behavior is by design.

↑ Back to the top

More information

When you use Windows 2000 Server and Windows 2000 Advanced Server in Mixed mode, the boundaries for domain local groups are the domain controllers for the current domain. The local groups can only be used to assign Windows NT File System (NTFS) permissions or share permissions, for example, on domain controllers for the current domain.

When a domain controller is demoted, the SIDs of the local groups remain in the access control lists, and can still be resolved to their friendly names. However, after the demotion, they cannot be used for authorization. Also, they cannot be added to either file or share permissions until the domain is switched to Native mode.

Switching the domain to Native mode provides the group flexibility to add domain local groups to the resources on non-domain controllers. For Windows 2000, this rule applies to Windows 2000 domain controllers that have been demoted and to Windows NT 4.0 domain controllers that have been upgraded and left as member servers during the upgrade process. For additional information about domain local groups, click the article number below to view the article in the Microsoft Knowledge Base:
259392� Domain Local Group Scope in Windows 2000 Domain Operation Modes

↑ Back to the top

Keywords: kbnetwork, kbprb, kbui, KB320230

↑ Back to the top

Article Info
Article ID : 320230
Revision : 8
Created on : 3/2/2007
Published on : 3/2/2007
Exists online : False
Views : 457