JSI Tip 2298. Error when trying to add Windows 2000 domain users to the ACL of a Windows NT 4.0 system - Access is denied?

When you try to add users from a Windows 2000 domain to an ACL or group on a Windows NT 4.0 system, you may not see the list of users and you receive:

Unable to browse the selected domain because the following error occurred: Access is denied.

When your Windows NT 4.0 computer tries to connect to the Windows 2000 DC, it uses your Windows NT 4.0 account to connect. If this account is not a member of the Windows 2000 domain or of a trusted domain, the attempt fails. Windows NT 4.0 then tries a null connection. When this also fails, you receive the error above.

When you promoted your Windows 2000 DC, you selected Permissions compatible only with Windows 2000 servers.

You can resolve the problem by typing (on the Windows 2000 DC):

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

You must then shutdown and restart the Windows 2000 DC.

When Windows NT 4.0 computers no longer exist in the domain, type:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete

and restart your domain controller. This removes the ability of anonymous users to read domain information.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.