Downlevel Servers Included in Two Groups When Created

• Microsoft Windows NT operating system version 3.1
• Microsoft Windows NT Advanced Server version 3.1

SYMPTOMS

When downlevel servers (LAN Manager 2.x machines) are created as members of a Windows NT Domain, their machine accounts are members of the Servers Global group and the Domain Users Global group.

CAUSE

When NET ACCOUNTS /ROLE:BACKUP is invoked, LAN Manager server adds this account and makes it a member of Servers group. It should also remove it from Users group. The account causes no problems. No one can use it because its password is machine generated. If its inclusion in Domain Users is undesirable, an administrator can simply change its primary group to Servers and then remove it from Users. Netlogon will still work.

RESOLUTION

This is by design. There is no real problem with the account being a member of Users.

MORE INFORMATION

Steps to Reproduce Behavior

NOTE: Two machines are required for this procedure.

1. On machine A, run Windows NT Advanced Server as a primary domain controller or server.

2. On machine B, run OS/2 and LAN Manager 2.2 as a backup domain controller (BDC) in the same domain as machine A.

3. On machine A, start the User Manager for domains. Notice that machine B is listed in the Main User list.

4. Double-click the Machine account so that the properties dialog box of that account is displayed.

5. Click Groups. Notice that the Machine account is a member of the Servers Global group and the Domain Users Global group.