This tip was submitted to the SearchWin2000.com Tip Exchange by member Paulo Seabra. Let other users know how useful it is by rating the tip below.
I solved a problem recently, involving AD and the way it deals with NT, that I thought might be useful to some of my fellow users. We have a Win2k domain with Active Directory in native mode that has 20 PCs running Win2k Professional -- but we still have five NT workstations. One morning, I was called upon to figure out why the NT machines could not enter the domain. We had never encountered this problem before.
I eventually figured out that the error we were seeing in the event viewer involved the trust relationship between the workstation and the domain. First, we tried removing the NT machines from the domain until AD showed no further errors. Then we added the NT machines again -- but the error persisted!
We investigated all of the user accounts for lockouts and found none. Users with Win2k Pro could enter the domain without any problems but there was still no way to log on from the NT machines. We simply could not figure out what the problem was.
Thankfully, after a considerable amount of time had been devoted to this issue, I remembered to look at the domain security policy -- we had set it to restrict anonymous access so it would not allow the enumeration of SAM accounts and shares.
All we needed to do to resolve the problem was to apply the setting 'none-rely' on default permissions, and then configure 'secedit refreshpolicy /machine_policy /enforce'. After 5 minutes, the NT users could log on again.
So remember -- AD uses a special 'anonymous' group for pre Win2k clients. I hope this helps anyone encountering similar difficulties.