Permissions Are Affected After You Demote a Domain Controller

After you demote a domain controller, domain local groups are not used to provide access to local resources. Note that this behavior only applies to domains that are in Mixed mode. The local group may still be displayed in the access control list (ACL). However, it cannot be used for authorization, and cannot be added to any other ACLs. When a user whose access has been defined by using a domain local group tries to use resources on the demoted server, the user may receive an "access denied" error message (or equivalent error messages).

In mixed mode, the scope of the domain local group is the domain controllers. When a domain controller is demoted, it falls out of the scope of this group type. Even though the group SID remains in the ACL and can be resolved, they cannot be used for granting access. The reason is that the domain local group is not in the access token of users that are logged on to member computers. This only occurs when the domain is in Native mode.

To work around this behavior, use any of the following methods:

• Change the domain mode to Native mode to expand the scope of groups to all domain members. Note that this also prevents Windows NT 4.0 backup domain controllers from replicating. In Windows Server 2003, Windows NT 4.0 is not supported in the Windows 2000 functional level. Only Windows 2000 and Windows 2003 are supported at the Windows 2000 functional level.
  Note By default, domains in a Windows Server 2003 environment operate at the Windows 2000 mixed functional level. At this level, Windows NT 4.0, Windows 2000, and the Windows Server 2003 family are all supported.
• Create a new local group (or domain global group), and then use the Active Directory Migration tool version 2 to translate the references from the domain local group to the newly-created group. You can do so by using the Security Translation feature with a SID mapping file. The SID mapping file contains the SID from the domain local group and the SID for the replacement group. The Active Directory Migration tool searches and replaces (or adds) the old SID with the new one.
• You can use the Subinacl tool from the Microsoft Windows NT Resource Kit.
  
  For more information, visit the following Microsoft Web site:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

This behavior is by design.

When you use Windows 2000 Server and Windows 2000 Advanced Server in Mixed mode, the boundaries for domain local groups are the domain controllers for the current domain. The local groups can only be used to assign Windows NT File System (NTFS) permissions or share permissions, for example, on domain controllers for the current domain.

When a domain controller is demoted, the SIDs of the local groups remain in the access control lists, and can still be resolved to their friendly names. However, after the demotion, they cannot be used for authorization. Also, they cannot be added to either file or share permissions until the domain is switched to Native mode.

Switching the domain to Native mode provides the group flexibility to add domain local groups to the resources on non-domain controllers. For Windows 2000, this rule applies to Windows 2000 domain controllers that have been demoted and to Windows NT 4.0 domain controllers that have been upgraded and left as member servers during the upgrade process. For additional information about domain local groups, click the article number below to view the article in the Microsoft Knowledge Base: