A user without permission to run "dcpromo", but the user belongs to the grop "IT" and this last IT group belongs to the Domain Administrator group
Hello,
I am a bit confused because of this:
I have several users belonging to a group which I called "IT-Group". It is a global group, neither universal, nor Local Domain (I say this just in case this is the cause).
That group "IT-Group" belongs to "Domain Administrators", "Schema Administrators" and "Organization Administrator" .
That is why I cant understand that a user who belongs to "IT-Group" and, therefore, to "Organitation/Schema/Domain Administrators" is not able to set a server as a Domain controller through the command-line: "Dcpromo".
The error, with two users is the same: "Not enough privileges to run DCPromo"
Thanks a lot in advance!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 11th, 2012 7:38am
Hiya,
Is he running it from an elevated commando prompt?
Right click cmd.exe and select Run as Administrator and see if that helps.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 8:35am
Hello Jesper,
Thanks for replying so soon.
Well, In fact all has been very strange because I logged in with users belonging to a certain group, a global group "IT-group" which belongs to "Organitation Administrators", "Schema Administrator" and "Domain Administrator", so, it didnt make
much sense that I didnt have priviledges to perform a "dcpromo.exe" with such users.
So, I just took off the pc from the domain into a Work Goup , restarted and I re-joined the pc into the domain and al worked perfectly, so, honestly, I dont know what was going on.
Thanks a lot for your prompt reply!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 11th, 2012 12:05pm
Hello,
memberhsip on the domains security groups has nothing to do with the domain computers. So this can just be luck that it helps with rejoinging the machine to the domain.
Are the machines created from an image that is NOT prepared with sysprep?
Be aware that even members of the domain/enterprise/administartors security belong to UAV settings if you use Windows server 2008 and higher OS. Even the builtin Administrator belongs to this and has by default a security token with not full control
and must be elevated, so this is NORMAL even for high privileged administrators.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 12:17pm
Hello Meinolf,
Thanks for replying.
Well, the machine is a vmware prepared, a 2003 Enterprise SP2 with some software installed and I use it very often in my scenarios to perform many tasks, tests, etc.
So far, so good, I mean, I have always used this machine, then I run "NewSID" (I think this step is totally necesary to change the SID of the new machine in the domain) , and all works fine, except for today that I had this issue.
My question in reality is whether or not a user that belongs to a certain group (global security group) and this certain group belongs to "Organization Administrator"
inherit the permissions of this last group of Administators. My guess that they do, they inherit the permissions.
What is UAV Settings?. Anyway it was all my fault because I forgot to highlight that I am working now with Win 2003, though one of the Domain Controllers is a Win 2008, is that what you are refering to with the UAV Settings?
Thanks once more!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 11th, 2012 12:27pm
Hiya,
UAC - User Account Control. Only a concern for Win2k8 O/S and up.
User Account Control Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 12:39pm
I see,
Thanks Jesper. It is kind of the former "ACL" in 2k3, and previous , I should think.
Ill take a look at it.
Thanks!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 11th, 2012 12:50pm
Hello,
NewSID is NOT supported from Microsoft and machines MUST be prepared with sysprep only, to have full support and all required tasks executed:
http://support.microsoft.com/kb/314828
http://support.microsoft.com/kb/828287
How sysprep works
http://technet.microsoft.com/en-us/library/dd744512(WS.10).aspx
UAV is a typo, sorry for that, UAC is of course correct.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 11th, 2012 12:55pm
Thanks Meinolf,
I read that NewSid was no longer supported by Microsoft. I have deployed SysPrep but not often. I know how it works although I should revise it.
Anyway, my main question remains unanswered, but I appreciate your help!. Thanks a lot.
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 12th, 2012 4:01am
Hello,
please use your lab machine VM and urn sysprep on it then try again the same.
"I read that NewSid was no longer supported by Microsoft" NewSID was NEVER
supported from Microsoft.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 4:49am
Hi,
To install an additional domain controller an administrator who is a member of the Built-in [administrators] group (for example, Enterprise Admins and Domain Admins) on your domain controller
must have the "Enable computer and user accounts to be trusted for delegation" privilege. This is necessary so that during the installation of Active Directory, the computer account can be trusted for delegation.
Please refer to the following method to give the "Enable
computer and user accounts to be trusted for delegation" privilege to a computer account:
Open GPMC.Expand
Domain Controllers.Modify the "Default Domain Controllers Policy" Group Policy object on
Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignments
and open "Enable computer and user accounts to be trusted for delegation".Add the account you want to use for the domain controller promotion process or group of which it is a member.
For details, please refer to the following articles.
Active Directory Installation and Removal Issues
http://technet.microsoft.com/en-us/library/cc961804.aspx
When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error
message.
http://support.microsoft.com/kb/232070
Regards,
Andy
June 12th, 2012 6:32am
Meinolf,
NewSID was never supported by Microsoft?. thank you.
Anyway, it worked, and works I think, I mean, my colleagues usually used them when they have a VMWare machine, and then, copy the folder to have another same machine, I start it up and just after that I run NewSID. It is a third party software,
therefore, not supported by Microsoft, but it works.
Thanks a lot for your assistance!!Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 6:39am
Hi,
To install an additional domain controller an administrator who is a member of the Built-in [administrators] group (for example, Enterprise Admins and Domain Admins) on your domain controller
must have the "Enable computer and user accounts to be trusted for delegation" privilege. This is necessary so that during the installation of Active Directory, the computer account can be trusted for delegation.
Please refer to the following method to give the "Enable
computer and user accounts to be trusted for delegation" privilege to a computer account:
Open GPMC.Expand
Domain Controllers.Modify the "Default Domain Controllers Policy" Group Policy object on
Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignments
and open "Enable computer and user accounts to be trusted for delegation".Add the account you want to use for the domain controller promotion process or group of which it is a member.
For details, please refer to the following articles.
Active Directory Installation and Removal Issues
http://technet.microsoft.com/en-us/library/cc961804.aspx
When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error
message.
http://support.microsoft.com/kb/232070
Regards,
Andy
June 12th, 2012 6:42am
Andy Qi,
Thanks for your reply.
What I mean is that if a user belongs to a group, and this groups belongs to the "Enterprise/Domain Administrator" .... does not the user have the Admnistrator priviledges?. Id say he has such priviledges.
Regarding all your explnation (which is very appreciated by the way) , I never had to do such things to join a computer as the second, third... Domain Controller, I just did the typical easy steps, and always worked. Humblily Id say that is
not the problem, but Ill do as you suggest.
Thanks a lot!!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2012 6:43am
Hi,
Based on my test, users belong to the group that has been added to the Organization Admins, Schema Admins and Domain Admins group do have the Administrator priviledges. According to your main
question, we could try to readd the group to all of the four gourps, Organization Admins, Schema Admins, Domain Admins and Administrators[Built-in] group and then we could try to check the permission of the group on the
Sercurity tab in Propertis to test the issue.
Regards,
Andy
June 12th, 2012 11:19pm
Thanks Andy Qi,
Thats exactly what I thought. And Yesterday I perfomed some tests to for the same purpose and reached the same conclusion. If the user "A" belongs to "IT-group" and this group belongs to "Organization Administrators" , then the user "A" is
an Administrator. It all sounds kind of very logical by the way.
I dont know if I remarked that finally I joined the pc into the domain , but just because I took it off the domain, re-started the pc and then I joined it without any further problems, so, it probably was another issue, most likely, I should
think.
Thanks again!, I really appreciate it your help.
By the way: Is there any difference between
"Domain Admins" and "Administrators[Built-in]". ? . Never understood this.
Thanks!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 2:19am
Hi,
Built-In Administrators is a default local computer administrator group. Members of this group have all rights and permissions on workstation.
Domain Admins group is a default AD administrator group. Members of this group have permissions to manage AD, but haven't any rights on workstations. In order to grant Domain Admins to manage
workstations, Domain Admins must be added to built-in Administrators group.
Regards,
Andy
June 13th, 2012 3:02am
Hi,
Built-In Administrators is a default local computer administrator group. Members of this group have all rights and permissions on workstation.
Domain Admins group is a default AD administrator group. Members of this group have permissions to manage AD, but haven't any rights on workstations. In order to grant Domain Admins to manage
workstations, Domain Admins must be added to built-in Administrators group.
Regards,
Andy
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2012 3:02am
Thanks again Andy Qi,
But in AD I see the built-in Administrators group and I thought it was related to the domains, because I can find that in "Users and computers" in Active Directory.
I knew what "Domain Admins" meant, but thanks the same!!.
From my experience, a Domain Admin can do anything in a workstation belonging to the domain, proably because when the pc joins the domain, it makes the process you point out: to add "Domain Admins" to the built-in local "Administrators" of the
pc.
Thanks!!
Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)
June 13th, 2012 3:07am