Sign in with
Sign up | Sign in
Your question

NT4 and 2000 Trust

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
April 28, 2005 6:40:06 PM

Archived from groups: microsoft.public.win2000.security (More info?)

NT4 domain trusts the 2000 domain, but not vice versa
Can I add a user from the 2000 domain to a local domain group in the NT4
domain?

We are doing a migration and there is a subset of computers that have the
NT4DOMAIN\APPSAdmins domain local group in the local administrator group. If
I can add the 2000Domain\user account to the NT4DOMAIN\APPSAdmins group, it
would save me a little bit of time because I could script a lot of the
security changes that need to be made using the 2000Domain\user account that
would have access to change security as well as be able to browse AD in the
2000 domain.

The domain admin will not even let me try to do it. Says "It's NT, so it
won't work." Seems to me is should, somehow.

More about : nt4 2000 trust

Anonymous
a b 8 Security
April 29, 2005 4:13:38 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You should be able to. You should see a list of trusted domains to choose a
user/group from when you try such if the trust is correctly configured. I
don't understand why he won't even let you try. --- Steve


"Ken Loveless" <KenLoveless@discussions.microsoft.com> wrote in message
news:324B1B61-098F-43B3-9973-27CF6D3A1843@microsoft.com...
> NT4 domain trusts the 2000 domain, but not vice versa
> Can I add a user from the 2000 domain to a local domain group in the NT4
> domain?
>
> We are doing a migration and there is a subset of computers that have the
> NT4DOMAIN\APPSAdmins domain local group in the local administrator group.
> If
> I can add the 2000Domain\user account to the NT4DOMAIN\APPSAdmins group,
> it
> would save me a little bit of time because I could script a lot of the
> security changes that need to be made using the 2000Domain\user account
> that
> would have access to change security as well as be able to browse AD in
> the
> 2000 domain.
>
> The domain admin will not even let me try to do it. Says "It's NT, so it
> won't work." Seems to me is should, somehow.
Anonymous
a b 8 Security
April 29, 2005 10:42:55 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Just to be clear here, I think you are actually speaking of using
a NT4 domain global group. As you said
> NT4DOMAIN\APPSAdmins domain local group in the local administrator group.
but as one cannot nest group in NT4 you must be meaning the local
administrator group on a different machine, a member of the NT4
domain; but, if that is the case then APPSAdmins is a domain global.

The local groups on NT4 domain controllers
1. were called local groups, not domain local groups
2. could be used only on the domain controllers
It has been some time since I have had machines configured in a
scenario like the one you describe, but IIRC you cannot add a
member from outside into the Global group. You must add them
into the local groups, either on members of domain controllers.
As I said, it has been some time, so I may be thinking of what
one could do with groups that came in over the trust instead of
groups and users . . .

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Ken Loveless" <KenLoveless@discussions.microsoft.com> wrote in message
news:324B1B61-098F-43B3-9973-27CF6D3A1843@microsoft.com...
> NT4 domain trusts the 2000 domain, but not vice versa
> Can I add a user from the 2000 domain to a local domain group in the NT4
> domain?
>
> We are doing a migration and there is a subset of computers that have the
> NT4DOMAIN\APPSAdmins domain local group in the local administrator group.
If
> I can add the 2000Domain\user account to the NT4DOMAIN\APPSAdmins group,
it
> would save me a little bit of time because I could script a lot of the
> security changes that need to be made using the 2000Domain\user account
that
> would have access to change security as well as be able to browse AD in
the
> 2000 domain.
>
> The domain admin will not even let me try to do it. Says "It's NT, so it
> won't work." Seems to me is should, somehow.
!