Microsoft Knowledge Base Article 823659 contains the following summary:
This article describes incompatibilities that may occur on
client computers that are
running Microsoft Windows 95,
Microsoft Windows 98,
Microsoft Windows NT 4.0,
Microsoft Windows 2000,
Microsoft Windows XP
Professional,
or Microsoft Windows Server 2003 when you modify specific
security settings and user
rights assignments in Windows NT 4.0 domains,
in
Windows 2000 domains,
and in Windows Server 2003 domains.
By configuring these
settings and assignments in
local policies and in group policies,
you can help
tighten the security on domain controllers and on member computers.
The
downside of increased security is the introduction of incompatibilities with
clients,
with services,
and with programs.
This article contains examples of clients,
of
programs,
and of operations that are affected by specific security settings or
user
rights assignments.
However,
the examples are not authoritative for all
Microsoft operating systems,
for all third-party operating systems,
or for all
program versions that are affected.
Not all security settings and user
rights
assignments are included in this article.
Microsoft
recommends that
you validate the compatibility of all security-related configuration changes in
a test forest before you introduce them in a production environment.
The test
forest must mirror the production forest in the following ways:
• | Client and server operating system versions, client and server programs, service pack versions, hotfixes, schema changes, security groups, group memberships, permissions on objects in the file system, shared folders, the registry, Active Directory directory service, local and Group Policy settings, and object count type and location |
• | Administrative tasks that are performed, administrative tools that are used, and operating systems that are used to perform administrative tasks |
• | Operations that are performed, including computer and user logon authentication; password resets by users, by computers, and by administrators; browsing; setting permissions for the file system, for shared folders, for the registry, and for Active Directory resources by using ACL Editor in all client operating systems in all account or resource domains from all client operating systems from all account or resource domains; printing from administrative and non-administrative accounts |