Permissions Are Affected After Demoted a Domain Controller
After we demote a domain controller, domain local groups are not used to provide access to local resources. Note that this behavior only applies to domains that are in Mixed mode. The local group may still be displayed in the access control list (ACL). However, it cannot be used for authorization, and cannot be added to any other ACLs. When a user whose access has been defined by using a domain local group tries to use resources on the demoted server, the user may receive an access denied error message (or equivalent error messages).
In mixed mode, the scope of the domain local group is the domain controllers. When a domain controller is demoted, it falls out of the scope of this group type. Even though the group SID remains in the ACL and can be resolved, they cannot be used for granting access. The reason is that the domain local group is not in the access token of users that are logged on to member computers. This only occurs when the domain is in Native mode.
To work around this behavior, use any of the following methods:
- Change the domain mode to Native mode to expand the scope of groups to all domain members. Note that this also prevents Windows NT 4.0 backup domain controllers from replicating. In Windows Server 2003, Windows NT 4.0 is not supported in the Windows 2000 functional level. Only Windows 2000 and Windows 2003 are supported at the Windows 2000 functional level.
- Create a new local group (or domain global group), and then use the Active Directory Migration tool version 2 to translate the references from the domain local group to the newly-created group. We can do so by using the Security Translation feature with a SID mapping file. The SID mapping file contains the SID from the domain local group and the SID for the replacement group. The Active Directory Migration tool searches and replaces (or adds) the old SID with the new one.
- We can use the Subinacl tool from the Microsoft Windows NT Resource Kit.
For more information on this topic, please refer to the following MS KB article:
Click here to access "Permissions Are Affected After You Demote a Domain Controller View products that this article applies to." at: http://support.microsoft.com/kb/320230
NOTE:The above-mentioned URL will take you to a non-HP Web site. HP does not control and is not responsible for information outside of the HP Web site.