Microsoft Knowledge Base Article 823659 contains the following summary:
This article describes incompatibilities that may occur on client computers that are running Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows XP Professional, or Microsoft Windows Server 2003 when you modify specific security settings and user rights assignments in Windows NT 4.0 domains, in Windows 2000 domains, and in Windows Server 2003 domains. By configuring these settings and assignments in local policies and in group policies, you can help tighten the security on domain controllers and on member computers. The downside of increased security is the introduction of incompatibilities with clients, with services, and with programs.
This article contains examples of clients, of programs, and of operations that are affected by specific security settings or user rights assignments. However, the examples are not authoritative for all Microsoft operating systems, for all third-party operating systems, or for all program versions that are affected. Not all security settings and user rights assignments are included in this article.
Microsoft recommends that you validate the compatibility of all security-related configuration changes in a test forest before you introduce them in a production environment. The test forest must mirror the production forest in the following ways:
|•||Client and server operating system versions, client and server programs, service pack versions, hotfixes, schema changes, security groups, group memberships, permissions on objects in the file system, shared folders, the registry, Active Directory directory service, local and Group Policy settings, and object count type and location|
|•||Administrative tasks that are performed, administrative tools that are used, and operating systems that are used to perform administrative tasks|
|•||Operations that are performed, including computer and user logon authentication; password resets by users, by computers, and by administrators; browsing; setting permissions for the file system, for shared folders, for the registry, and for Active Directory resources by using ACL Editor in all client operating systems in all account or resource domains from all client operating systems from all account or resource domains; printing from administrative and non-administrative accounts|