JSI Tip 3049. Member of a Domain Local Group are NOT granted rights?

The Domain Local Group feature is new for Windows 2000. It is used in member servers and workstations in Native mode domains, and can contain members from anywhere in the forest, in trusted forests, or in a trusted pre–Windows 2000 domain. Domain local groups can grant permissions to any resources within the domain in which they exist. Domain local groups are used to gather security principals from across the forest, making controlling access to resources easier.

A user complains that they can not log on locally to a Windows 2000 Professional workstation. When you open the Local Security Policy snap-in and check the User Rights Assignments, the Effective Setting column indicates that a Domain local group has been granted the user right, but this user can't log on locally.

If you have a Mixed-mode domain, local groups can NOT grant permission or rights on computers that they do not reside on.

NOTE: In Mixed-mode, local groups behave the same in Windows NT and Windows 2000.

To resolve the problem, you must remove any Windows NT domain controllers and convert to Native mode, using Active Director Domains and Trusts. In Native mode, local groups become Domain local groups.

NOTE: See tip 2406 » How do I migrate a Windows NT 4.0 Global Group to a Windows 2000 Domain Local Group and maintain the SID(s)?


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish