No announcement yet.

Interesting Group Related Access Issue

  • Filter
  • Time
  • Show
Clear All
new posts

  • Interesting Group Related Access Issue

    I've found an intriguing issue which I'm sure will be quickly solved, but I've been Googling and nothing specific has come up so far.

    I've just inherited a W2K Mixed Mode network. 3 DCs, 1 Domain at the root of the forest, all running W2k SP4. Pretty basic stuff.

    The other day, I decided to demote one of the DCs because it was a file server as well and I wanted to clean things up a bit. When I did, some users lost access to certain resources.

    Further investigation showed that the users in question were permitted access to the resource by way of nested membership of the Domain Users group. The Domain Users group was a member of a DL group that granted access. Fine, but why did that fail after the demotion?

    I checked DNS, all fine, nothing appeared to be wrong with the users' machine either. So I tested by granting the user access directly on the resource. That worked no problem at all. Also, users who were members of the DL group were fine as well.

    I re-promoted the server to be a DC and suddenly everything went back to normal!

    This is pointing towards a nested group issue of course, but I didn't think that worked under mixed mode in 2000 anyway. Does anyone know why the members of the nested group are granted access when the server holding the resources is a DC, but not when it isn't?

    I nerd therefore I am!

  • #2
    Re: Interesting Group Related Access Issue

    Well, it's been a long old time since I worked with a 2000 mixed mode domain, and I think I've answered my own question

    The domain local groups act like NT local groups in mixed mode. So for a Domain Local group membership to take affect on a resource, the server needs to be a DC. That way, it treats the group like it was a local group on a stand-alone machine.

    Makes sense now, if anyone disagrees with that conclusion I'd be interested to hear.
    I nerd therefore I am!


    • #3
      Re: Interesting Group Related Access Issue

      tanks for sharing the solution with us.