Access Denied: Configuring Anonymous Access on Win2K

When I promote a Windows 2000 server to a domain controller (DC) and create a new Active Directory (AD) domain, why does Win2K ask me whether I want to configure the DC with Permissions compatible only with Windows 2000 servers or Permissions compatible with pre-Windows 2000 servers? What considerations should drive this decision, and what are the effects of both choices?

Microsoft received a lot of criticism for the amount of access it granted to Anonymous logons in Windows NT. By default, anonymous users could query the domain for users, group memberships, and potentially sensitive information. Some server programs, such as NT RAS, depend on the ability to connect anonymously to the DC to get user and group information. In Win2K, Microsoft changed the way the OS handles anonymous connections. When you create a new domain, Win2K asks the question you've seen. What the OS is really asking is "Should I allow anonymous logons to access information in the domain (like NT did) in case server programs need to connect anonymously?"

Regardless of your response, Win2K grants the Pre-Windows 2000 Compatible Access group Read access to just about everything in the domain, including users and groups. However, Win2K doesn't add any members to the group unless you select Permissions compatible with pre-Windows 2000 servers. In that case, Win2K makes the Everyone group a member of the Pre-Windows 2000 Compatible Access group, which ultimately downgrades Win2K to the NT way of handling anonymous access. If possible, you should avoid selecting Permissions compatible with pre-Windows 2000 servers. Even if you have NT RAS servers, you don't need to select this option unless your domain is running in mixed mode. However, you might need to choose this option if you have Win2K RAS servers in a trusted NT domain. For more information, see the Windows & .NET Magazine article "Integrating Windows 2000 and Windows NT 4.0 RAS," Summer 2000, http://www.winnetmag.com, InstantDoc ID 8899. If you don't think you need NT-style anonymous access, select Permissions compatible only with Windows 2000 servers so that Win2K will leave the Pre-Windows 2000 Compatible Access group empty. Either way, if you realized you made the wrong choice, all you need to do is run one of the following commands:

net localgroup "Pre-Windows 2000   Compatible Access"   everyone /add

or

net localgroup "Pre-Windows 2000   Compatible Access"   everyone /delete

to add or delete Everyone from the group, respectively. You must reboot all DCs for the change to take effect.