In Windows 2000, why can't I remove an ADS user account from a local group?

Note: The following information is intended for registered local support providers (LSPs) at Indiana University. If you are an LSP and have questions regarding the information in this document, contact LSP Services at  lsps@iu.edu ; otherwise, contact your campus Support Center.

The Active Directory Migration Tool (ADMT) was used at Indiana University to migrate user accounts from the Microsoft Windows NT 4.0 domains (IU Bloomington and IUPUI NT 4.0 Domains) to the Microsoft Active Directory. When these users are added to local groups, sometimes the accounts cannot be deleted. Microsoft has confirmed this to be a problem.

In order to work around this issue, you must use the net command with the following syntax: net localgroup "localgroupname" "NT4Domain\Username" /delete

For example, at IUB you could use the following command: net localgroup "Administrators" "IUB\janedoe" /delete This command will remove the ADS user janedoe from the Administrators group on the local computer.

For more information, see article 278693 in Microsoft's knowledge base.

You can search Microsoft's knowledge base at:

Also see:

• At IU, how do I create an ADS Domain account?
• What is the difference between my Network ID and my ADS Domain account?
• In Active Directory, what are the differences between universal, global, and domain local groups?
• In the IU Active Directory, how do I manage groups?
• At IU, what is the Active Directory Services (ADS) Domain?
• At IU, in Windows 2000 or XP Professional, how do I log into my workstation with administrative rights using my ADS Domain account?
• At IU, in the ADS Domain, how should I search for users, groups, computers, and other ADS objects?
• At IU, in Active Directory, how can I prevent users from logging into a computer?