Members of a Domain Local Group Are Not Granted Rights (260534)

SYMPTOMS

In Microsoft Windows 2000, a domain local group is created when users or groups are added to the domain. This domain local group is added to a user right, such as Log on Locally, in a Group Policy Object (GPO) that is applied to a member server or a member workstation. At the member server, when you look at the User Rights Assignments setting in the Local Security Policy snap-in, the Effective Setting column may indicate that the domain local group has been granted the user right. However, members of the group may not actually have the user right.

CAUSE

This behavior can occur because the Windows 2000 domain is running in Mixed mode, and in Mixed Mode local groups cannot grant permissions on computers that they do not reside on. Note that in Mixed mode local groups behave the same in both Microsoft Windows NT and Windows 2000. There is an exception for domain local groups created on a domain controller. The replication between domain controllers causes domain local groups to be shared between the domain controllers.

RESOLUTION

To resolve this issue, you must convert the Windows 2000 domain to Native mode. In Native mode, local groups become domain local groups. The Domain Local Group feature is new in Windows 2000.

MORE INFORMATION

The Domain Local Groups feature is used in member servers and workstations in Native mode domains and can contain members from anywhere in the forest, in trusted forests, or in a trusted pre-Windows 2000 domain. Domain local groups can grant permissions to any resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain.

For additional information on supported modes in Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

186153 Modes Supported by Windows 2000 Domain Controllers