NT4 and 2000 Trust

[Guest]

NT4 domain trusts the 2000 domain, but not vice versa
Can I add a user from the 2000 domain to a local domain group in the NT4
domain?

We are doing a migration and there is a subset of computers that have the
NT4DOMAIN\APPSAdmins domain local group in the local administrator group. If
I can add the 2000Domain\user account to the NT4DOMAIN\APPSAdmins group, it
would save me a little bit of time because I could script a lot of the
security changes that need to be made using the 2000Domain\user account that
would have access to change security as well as be able to browse AD in the
2000 domain.

The domain admin will not even let me try to do it. Says "It's NT, so it
won't work." Seems to me is should, somehow.

 

[Steven L Umbach]

You should be able to. You should see a list of trusted domains to choose a
user/group from when you try such if the trust is correctly configured. I
don't understand why he won't even let you try. --- Steve

 

[Roger Abell]

Just to be clear here, I think you are actually speaking of using
a NT4 domain global group. As you said

NT4DOMAIN\APPSAdmins domain local group in the local administrator group.

but as one cannot nest group in NT4 you must be meaning the local
administrator group on a different machine, a member of the NT4
domain; but, if that is the case then APPSAdmins is a domain global.

The local groups on NT4 domain controllers
1. were called local groups, not domain local groups
2. could be used only on the domain controllers
It has been some time since I have had machines configured in a
scenario like the one you describe, but IIRC you cannot add a
member from outside into the Global group. You must add them
into the local groups, either on members of domain controllers.
As I said, it has been some time, so I may be thinking of what
one could do with groups that came in over the trust instead of
groups and users . . .