This article describes two important issues that you must consider when you install SharePoint Portal Server on a Windows 2000 domain controller.

When you install SharePoint Portal Server on a Windows 2000 domain controller, you should be aware of the following issues:

• Members of the Local Administrators group on the server always have permissions to set workspace security, even if the members are not assigned the coordinator role. However, when you install SharePoint Portal Server on a domain controller, a Local Administrators group is not available. Consequently, only users who are assigned to the coordinator role can set security on folders. If a coordinator makes an error, you cannot use a Local Administrators account to resolve security issues.
• After you install SharePoint Portal Server, you may need to restart the domain controller. It is recommended that you schedule the installation accordingly.

SharePoint Portal Server enables coordinators to control access to documents and folders by assigning users to roles. Even though each folder must have at least one coordinator assigned, if there is only one coordinator, and that coordinator is unavailable, you cannot modify the role membership on the folder because the concept of file and folder ownership does not exist in SharePoint Portal Server as it does in the NTFS file system.

On a member server, this behavior is not an issue because the Local Administrators group on the server has the permission to read and set security for every document and folder in all workspaces on the SharePoint Portal Server computer. Because administrators have the rights to configure security, they can access every folder and document in case a folder or document is made unavailable to those who typically have access to it. This right is a non-configurable, non-revocable right of the Local Administrators group that takes precedence over the Deny role on individual items.

When you install SharePoint Portal Server on a domain controller, if a folder or a document becomes inaccessible by the currently assigned coordinator permissions, you cannot use a Local Administrators account to resolve security issues. Only the assigned coordinators on the folder can modify security.