When you demote a domain controller in a Mixed mode domain, domain local groups no longer provide access to local resources. You may see the local groups in the ACL (Access Control List), but a user receives an access denied error, or similar error, when they try to use resources on the demoted server.
The scope of a domain local group in a Mixed mode domain is domain controllers. Since the server was demoted, it is no longer in the scope. Domain local groups are only in the access token when users log on to member computers in a Native mode domain.
To workaround this issue, you could convert to Native mode, but this cannot be reversed.
You can also use the Windows 2000 Resource Kit utilities, GETSID and SubInACL to replace the SIDs in the ACLs.
