Hello, I am a bit confused because of this: I have several users belonging to a group which I called "IT-Group". It is a global group, neither universal, nor Local Domain (I say this just in case this is the cause). That group "IT-Group" belongs to "Domain Administrators", "Schema Administrators" and "Organization Administrator" . That is why I cant understand that a user who belongs to "IT-Group" and, therefore, to "Organitation/Schema/Domain Administrators" is not able to set a server as a Domain controller through the command-line: "Dcpromo". The error, with two users is the same: "Not enough privileges to run DCPromo" Thanks a lot in advance! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hiya, Is he running it from an elevated commando prompt? Right click cmd.exe and select Run as Administrator and see if that helps.

Hello Jesper, Thanks for replying so soon. Well, In fact all has been very strange because I logged in with users belonging to a certain group, a global group "IT-group" which belongs to "Organitation Administrators", "Schema Administrator" and "Domain Administrator", so, it didnt make much sense that I didnt have priviledges to perform a "dcpromo.exe" with such users. So, I just took off the pc from the domain into a Work Goup , restarted and I re-joined the pc into the domain and al worked perfectly, so, honestly, I dont know what was going on. Thanks a lot for your prompt reply! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, memberhsip on the domains security groups has nothing to do with the domain computers. So this can just be luck that it helps with rejoinging the machine to the domain. Are the machines created from an image that is NOT prepared with sysprep? Be aware that even members of the domain/enterprise/administartors security belong to UAV settings if you use Windows server 2008 and higher OS. Even the builtin Administrator belongs to this and has by default a security token with not full control and must be elevated, so this is NORMAL even for high privileged administrators.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello Meinolf, Thanks for replying. Well, the machine is a vmware prepared, a 2003 Enterprise SP2 with some software installed and I use it very often in my scenarios to perform many tasks, tests, etc. So far, so good, I mean, I have always used this machine, then I run "NewSID" (I think this step is totally necesary to change the SID of the new machine in the domain) , and all works fine, except for today that I had this issue. My question in reality is whether or not a user that belongs to a certain group (global security group) and this certain group belongs to "Organization Administrator" inherit the permissions of this last group of Administators. My guess that they do, they inherit the permissions. What is UAV Settings?. Anyway it was all my fault because I forgot to highlight that I am working now with Win 2003, though one of the Domain Controllers is a Win 2008, is that what you are refering to with the UAV Settings? Thanks once more! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hiya, UAC - User Account Control. Only a concern for Win2k8 O/S and up. User Account Control Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx

I see, Thanks Jesper. It is kind of the former "ACL" in 2k3, and previous , I should think. Ill take a look at it. Thanks! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, NewSID is NOT supported from Microsoft and machines MUST be prepared with sysprep only, to have full support and all required tasks executed: http://support.microsoft.com/kb/314828 http://support.microsoft.com/kb/828287 How sysprep works http://technet.microsoft.com/en-us/library/dd744512(WS.10).aspx UAV is a typo, sorry for that, UAC is of course correct.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Thanks Meinolf, I read that NewSid was no longer supported by Microsoft. I have deployed SysPrep but not often. I know how it works although I should revise it. Anyway, my main question remains unanswered, but I appreciate your help!. Thanks a lot. Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, please use your lab machine VM and urn sysprep on it then try again the same. "I read that NewSid was no longer supported by Microsoft" NewSID was NEVER supported from Microsoft.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi, To install an additional domain controller an administrator who is a member of the Built-in [administrators] group (for example, Enterprise Admins and Domain Admins) on your domain controller must have the "Enable computer and user accounts to be trusted for delegation" privilege. This is necessary so that during the installation of Active Directory, the computer account can be trusted for delegation. Please refer to the following method to give the "Enable computer and user accounts to be trusted for delegation" privilege to a computer account: Open GPMC.Expand Domain Controllers.Modify the "Default Domain Controllers Policy" Group Policy object on Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignments and open "Enable computer and user accounts to be trusted for delegation".Add the account you want to use for the domain controller promotion process or group of which it is a member. For details, please refer to the following articles. Active Directory Installation and Removal Issues http://technet.microsoft.com/en-us/library/cc961804.aspx When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error message. http://support.microsoft.com/kb/232070 Regards, Andy

Meinolf, NewSID was never supported by Microsoft?. thank you. Anyway, it worked, and works I think, I mean, my colleagues usually used them when they have a VMWare machine, and then, copy the folder to have another same machine, I start it up and just after that I run NewSID. It is a third party software, therefore, not supported by Microsoft, but it works. Thanks a lot for your assistance!!Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hi, To install an additional domain controller an administrator who is a member of the Built-in [administrators] group (for example, Enterprise Admins and Domain Admins) on your domain controller must have the "Enable computer and user accounts to be trusted for delegation" privilege. This is necessary so that during the installation of Active Directory, the computer account can be trusted for delegation. Please refer to the following method to give the "Enable computer and user accounts to be trusted for delegation" privilege to a computer account: Open GPMC.Expand Domain Controllers.Modify the "Default Domain Controllers Policy" Group Policy object on Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignments and open "Enable computer and user accounts to be trusted for delegation".Add the account you want to use for the domain controller promotion process or group of which it is a member. For details, please refer to the following articles. Active Directory Installation and Removal Issues http://technet.microsoft.com/en-us/library/cc961804.aspx When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied" error message. http://support.microsoft.com/kb/232070 Regards, Andy

Andy Qi, Thanks for your reply. What I mean is that if a user belongs to a group, and this groups belongs to the "Enterprise/Domain Administrator" .... does not the user have the Admnistrator priviledges?. Id say he has such priviledges. Regarding all your explnation (which is very appreciated by the way) , I never had to do such things to join a computer as the second, third... Domain Controller, I just did the typical easy steps, and always worked. Humblily Id say that is not the problem, but Ill do as you suggest. Thanks a lot!! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hi, Based on my test, users belong to the group that has been added to the Organization Admins, Schema Admins and Domain Admins group do have the Administrator priviledges. According to your main question, we could try to readd the group to all of the four gourps, Organization Admins, Schema Admins, Domain Admins and Administrators[Built-in] group and then we could try to check the permission of the group on the Sercurity tab in Propertis to test the issue. Regards, Andy

Thanks Andy Qi, Thats exactly what I thought. And Yesterday I perfomed some tests to for the same purpose and reached the same conclusion. If the user "A" belongs to "IT-group" and this group belongs to "Organization Administrators" , then the user "A" is an Administrator. It all sounds kind of very logical by the way. I dont know if I remarked that finally I joined the pc into the domain , but just because I took it off the domain, re-started the pc and then I joined it without any further problems, so, it probably was another issue, most likely, I should think. Thanks again!, I really appreciate it your help. By the way: Is there any difference between "Domain Admins" and "Administrators[Built-in]". ? . Never understood this. Thanks! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hi, Built-In Administrators is a default local computer administrator group. Members of this group have all rights and permissions on workstation. Domain Admins group is a default AD administrator group. Members of this group have permissions to manage AD, but haven't any rights on workstations. In order to grant Domain Admins to manage workstations, Domain Admins must be added to built-in Administrators group. Regards, Andy

Hi, Built-In Administrators is a default local computer administrator group. Members of this group have all rights and permissions on workstation. Domain Admins group is a default AD administrator group. Members of this group have permissions to manage AD, but haven't any rights on workstations. In order to grant Domain Admins to manage workstations, Domain Admins must be added to built-in Administrators group. Regards, Andy

Thanks again Andy Qi, But in AD I see the built-in Administrators group and I thought it was related to the domains, because I can find that in "Users and computers" in Active Directory. I knew what "Domain Admins" meant, but thanks the same!!. From my experience, a Domain Admin can do anything in a workstation belonging to the domain, proably because when the pc joins the domain, it makes the process you point out: to add "Domain Admins" to the built-in local "Administrators" of the pc. Thanks!! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)