Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you upgrade a primary domain controller (PDC) running Windows NT Server 4.0 or earlier to a server running Windows Server 2003, existing Windows NT groups are converted in the following ways:
Windows NT local groups are converted to domain local groups on servers running Windows Server 2003.
Windows NT global groups are converted to global groups on servers running Windows Server 2003.
Domain member computers running Windows NT can continue to display and access the converted groups. The groups appear to these clients as Windows NT 4.0 local and global groups. However, a Windows NT client cannot display members of groups or modify the member properties when that membership violates Windows NT group rules. For example, when a Windows NT client views the members of a global group on a server running Windows Server 2003, it does not view any other groups that are members of that global group.
Converted groups and Microsoft Exchange
Exchange allows users to arrange e-mail addresses in groups and distribution lists. When Exchange servers are upgraded to Active Directory, the Exchange distribution lists are converted to distribution groups with universal scope. The administrator can convert the group to a security group later, if desired, by using Active Directory Users and Computers to change the group properties. The messaging application programming interface (MAPI) enables computers running previous version Exchange clients to view the converted distribution group.
Using converted groups with servers running Windows Server 2003
Client computers that do not run Active Directory client software identify groups with universal scope on servers running Windows Server 2003 as having global scope instead. When viewing the members of a group with universal scope, the Windows NT client can only view and access group members that conform to the membership rules of global groups on servers running Windows Server 2003.
In a Windows Server 2003 domain that is set to a domain functional level of Windows 2000 native, all the domain controllers must be running on servers running Windows Server 2003. However, the domain can contain member servers that run Windows NT Server 4.0. These servers view groups with universal scope as having global scope and can assign groups with universal scope rights and permissions and place them in local groups.
In a Windows Server 2003 domain, a Windows NT Server 4.0 member server running Windows NT administrative tools cannot access domain local groups. However, you can work around this by using a server running Windows Server 2003 and using its Windows Server 2003 Administration Tools Pack to access the server running Windows NT Server 4.0. You can use the Administration Tools Pack to display the domain local groups and assign to them permissions to resources on the server running Windows NT Server 4.0.