DOCUMENT:Q102382  17-AUG-1993  [W_NT]
TITLE   :Downlevel Servers Included in Two Groups When Created
PRODUCT :Windows NT
PROD/VER:3.10
OPER/SYS:WINDOWS
KEYWORDS:

--------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT operating system, version 3.1
 - Microsoft Windows NT Advanced Server, version 3.1
--------------------------------------------------------------

SYMPTOMS
========

When downlevel servers (LAN Manager 2.x machines) are created as
members of a Windows NT Domain, their machine accounts are members of
the Servers Global group and the Domain Users Global group.

CAUSE
=====

When NET ACCOUNTS /ROLE:BACKUP is invoked, LAN Manager server adds
this account and makes it a member of Servers group. It should also
remove it from Users group. The account causes no problems: no one can
use it because its password is machine generated. If its inclusion in
Domain Users is undesirable, the NT administrator can simply change
its primary group to Servers and then remove it from Users. Netlogon
will still work.

RESOLUTION
==========

This is by design. There is no real problem with the account being a
member of Users.

MORE INFORMATION
================

Steps to Reproduce Behavior
---------------------------

NOTE: Two machines are required for this procedure.

1. On machine A, run Windows NT Advanced Server as a primary domain
   controller (PDC).

2. On machine B, run OS/2 and LAN Manager 2.2 as a backup domain
   controller (BDC) in the same domain as machine A.
 
3. On machine A, start the User Manager for domains. Notice that
   machine B is listed in the Main User list.

4. Double-click the Machine account so that the properties dialog box
   of that account is displayed.

5. Click Groups. Notice that the Machine account is a member of the
   Servers Global group and the Domain Users Global group.

Additional reference words: 3.10
KBCategory:
KBSubCategory:

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1993.