Missing "Pre-Windows 2000 Compatibilty Access" Built-in Group

I am trying to run adprep /domainprep /gpprep. on a win2k Server.
I have run adprep /forestprep succesfullly.

The group is not in the Built-in accounts in Domain or local security policies

Iget an error saying the "Everyone" needs to be added to the"Pre-Windows 2000 Compatibilty Access" Group. Here is the log file:

Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group.




For backward compatibility, Adprep requires that the Anonymous Logon security group be a member of the pre-Windows 2000 Compatible Access security group if the Everyone group is also a member. On domain controllers running Windows Server 2003, the Everyone group no longer includes Anonymous Logon.

[User Action]

Check the log file Adprep.log in the system root System32\Debug\Adprep\Logs directory for more information.

Adprep encountered a Win32 error.

Error code: 0x5 Error message: Access is denied..

Adprep was unable to update domain-wide information.


Adprep requires access to existing domain-wide information from the infrastructure master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20061109142105 directory for more information.

Who is Participating?
Computer101Connect With a Mentor Commented:
PAQed with points refunded (500)

EE Admin
Nirmal SharmaSolution ArchitectCommented:
Is Domain in Mixed Mode?

Are you running adprep using Schema Admin?

Can you check if Infrastructure Master is alive and reachable?

Can you check if Schema FSMO is available?

Can you add Anonymous Logon user to Pre.....group using Command line?

Check out here:
turnerniAuthor Commented:
The domain is in Native mode.
I am trying to do this on the Infrastructure Admin.
I can not add using the cmd line as the group is not there and the Anonymous Logon User is also missing.

I have already tried net localgroup "Pre....Access" Everyone /add

Not sure what you mean by Schema FSMO.

I am logged in as a scema admin.

I am a bit rusty so bare with me.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\turnerni>net localgroup "Pre-Windows 2000 Compatibilty
 Access" Everyone /add
There is no such user or group: Pre-Windows 2000 Compatibilty Access.

More help is available by typing NET HELPMSG 3780.

C:\Documents and Settings\turnerni>net helpmsg 3780

There is no such user or group: ***.


The user or group specified does not exist.


Retype the command with a correct user name or group name.

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

turnerniAuthor Commented:
i had a typo on my post should read compatible instead of compatibilty.
I have been using the right word in my attempts to fix this.

so if u want to update the AD then u have to log on using ad schema admin. if ur system is multilevel or not u have to logon to the root server as root forest's admin and that admin must have schema admin rights. and this change is enterprise wide which means the admin must me an enterprise admin of the entire forest.
it is best to logon as the forest's admin at the root server and run the adprep..
and make sure that Shema Master, Infrastucture master roles are running and make sure ther servers who hold those roles are up and running at the time of running adprep.

Nirmal SharmaSolution ArchitectCommented:
Did you manage to solve your problem?
turnerniAuthor Commented:
I broke down and called MS and paid the $245
This is the resolution

Unable to bring in the Windows 2003 R2 Server as an Additional Domain Controller in Windows 2000 Domain




On the Windows 2000 Domain Controller
1.       While trying to run ADPREP /domainprep we were getting the following error: "Adprep failed in the attempt to add the Anonymous Logon SID to the Pre-Windows 2000 Compatible Access group"
2.       Created the "cn=2416c60a-fe15-4d7a-a61e-dffd5df864d3,cn=Operations,cn=DomainUpdates,cn=System, DC=domain,DC=com" container object manually going into adsiedit.msc from the run window
3.       Tried to run ADPREP /domainprep, successful
On the Windows 2003 Domain Controller
1.       Ran DCPROMO on it and promoted it as an Additional Domain Controller
2.       The SYSVOL and NETLOGON shares were missing after running DCPROMO on it
3.       Disabled Windows Firewall service on it, restarted the File Replication (NTFRS) service, got the SYSVOL and NETLOGON shares
4.       Checked for Active Directory replication successful from Active Directory Sites and Services, successful
5.       Transferred all the FSMO on the win2k3 DC <ServerName> as per KB 324801




Operations that are performed by the Adprep.exe utility when you add a Windows Server 2003 domain controller to a Windows 2000 domain or forest



Schema Updates Require Write Access to Schema in Active Directory



Windows Server 2003 adprep /forestprep command causes mangled attributes in Windows 2000 forests that contain Exchange 2000 servers



Error message when you run the Active Directory Installation Wizard: "The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer"



Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.