Re: NT4 and 2000 Trust

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/29/05 

Date: Fri, 29 Apr 2005 06:42:55 -0700

Just to be clear here, I think you are actually speaking of using
a NT4 domain global group. As you said
> NT4DOMAIN\APPSAdmins domain local group in the local administrator group.
but as one cannot nest group in NT4 you must be meaning the local
administrator group on a different machine, a member of the NT4
domain; but, if that is the case then APPSAdmins is a domain global.

The local groups on NT4 domain controllers
1. were called local groups, not domain local groups
2. could be used only on the domain controllers
It has been some time since I have had machines configured in a
scenario like the one you describe, but IIRC you cannot add a
member from outside into the Global group. You must add them
into the local groups, either on members of domain controllers.
As I said, it has been some time, so I may be thinking of what
one could do with groups that came in over the trust instead of
groups and users . . . 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Ken Loveless" <KenLoveless@discussions.microsoft.com> wrote in message
news:324B1B61-098F-43B3-9973-27CF6D3A1843@microsoft.com...
> NT4 domain trusts the 2000 domain, but not vice versa
> Can I add a user from the 2000 domain to a local domain group in the NT4
> domain?
>
> We are doing a migration and there is a subset of computers that have the
> NT4DOMAIN\APPSAdmins domain local group in the local administrator group.
If
> I can add the 2000Domain\user account to the NT4DOMAIN\APPSAdmins group,
it
> would save me a little bit of time because I could script a lot of the
> security changes that need to be made using the 2000Domain\user account
that
> would have access to change security as well as be able to browse AD in
the
> 2000 domain.
>
> The domain admin will not even let me try to do it.  Says "It's NT, so it
> won't work."  Seems to me is should, somehow.

Relevant Pages

  • Re: NT4 BDC to Win2k3 server
    ... Win2k3 server be a member server in the NT4 domain. ... wondering what happens to all of the domain local groups that were used to ... >> keep the local groups intact for the standalone server. ...
    (microsoft.public.windows.server.migration)
  • Query re NT4 Domain Local Groups
    ... I have a query regarding NT4 Domain Local Groups. ... NT4 domain server which has local and global groups. ...
    (microsoft.public.windows.server.migration)
  • How to import local groups from a member server in a Nt4 domain to AD ?
    ... security from a member server in a NT4 domain to a new ... local groups from the server in the NT4 domain to domain ...
    (microsoft.public.windows.server.migration)
  • Re: SMS 2003 - adding Secondary site... driving me -mental- :-/
    ... Domain controllers DO have local groups, they just work a little differently ... on DCs than they do on member servers and workstations. ... There is a section of procedures for SMS Account Management near the end. ...
    (microsoft.public.sms.setup)
  • Re: Everyone, Users, and Guests
    ... business environment should modify/ adjust both the container structure ... Security goes like this: if a user is detected as belonging to no group, ... >>Global Groups go into Local Groups, ... >>Local Groups are given permissions to resources. ...
    (microsoft.public.win2000.security)