JSI Tip 5180. After you demote a domain controller, domain local groups do NOT provide access to local resources?

When you demote a domain controller in a Mixed mode domain, domain local groups no longer provide access to local resources. You may see the local groups in the ACL (Access Control List), but a user receives an access denied error, or similar error, when they try to use resources on the demoted server.

The scope of a domain local group in a Mixed mode domain is domain controllers. Since the server was demoted, it is no longer in the scope. Domain local groups are only in the access token when users log on to member computers in a Native mode domain.

To workaround this issue, you could convert to Native mode, but this cannot be reversed.

You can also use the Windows 2000 Resource Kit utilities, GETSID and SubInACL to replace the SIDs in the ACLs.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.