Hello, I am a bit confused because of this: I have several users belonging to a group which I called "IT-Group". It is a global group, neither universal, nor Local Domain (I say this just in case this is the cause). That group "IT-Group" belongs to "Domain Administrators", "Schema Administrators" and "Organization Administrator" . That is why I cant understand that a user who belongs to "IT-Group" and, therefore, to "Organitation/Schema/Domain Administrators" is not able to set a server as a Domain controller through the command-line: "Dcpromo". The error, with two users is the same: "Not enough privileges to run DCPromo" Thanks a lot in advance! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello Jesper, Thanks for replying so soon. Well, In fact all has been very strange because I logged in with users belonging to a certain group, a global group "IT-group" which belongs to "Organitation Administrators", "Schema Administrator" and "Domain Administrator", so, it didnt make much sense that I didnt have priviledges to perform a "dcpromo.exe" with such users. So, I just took off the pc from the domain into a Work Goup , restarted and I re-joined the pc into the domain and al worked perfectly, so, honestly, I dont know what was going on. Thanks a lot for your prompt reply! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, memberhsip on the domains security groups has nothing to do with the domain computers. So this can just be luck that it helps with rejoinging the machine to the domain. Are the machines created from an image that is NOT prepared with sysprep? Be aware that even members of the domain/enterprise/administartors security belong to UAV settings if you use Windows server 2008 and higher OS. Even the builtin Administrator belongs to this and has by default a security token with not full control and must be elevated, so this is NORMAL even for high privileged administrators.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello Meinolf, Thanks for replying. Well, the machine is a vmware prepared, a 2003 Enterprise SP2 with some software installed and I use it very often in my scenarios to perform many tasks, tests, etc. So far, so good, I mean, I have always used this machine, then I run "NewSID" (I think this step is totally necesary to change the SID of the new machine in the domain) , and all works fine, except for today that I had this issue. My question in reality is whether or not a user that belongs to a certain group (global security group) and this certain group belongs to "Organization Administrator" inherit the permissions of this last group of Administators. My guess that they do, they inherit the permissions. What is UAV Settings?. Anyway it was all my fault because I forgot to highlight that I am working now with Win 2003, though one of the Domain Controllers is a Win 2008, is that what you are refering to with the UAV Settings? Thanks once more! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hiya, UAC - User Account Control. Only a concern for Win2k8 O/S and up. User Account Control Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc709691(v=ws.10).aspx

I see, Thanks Jesper. It is kind of the former "ACL" in 2k3, and previous , I should think. Ill take a look at it. Thanks! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, NewSID is NOT supported from Microsoft and machines MUST be prepared with sysprep only, to have full support and all required tasks executed: http://support.microsoft.com/kb/314828 http://support.microsoft.com/kb/828287 How sysprep works http://technet.microsoft.com/en-us/library/dd744512(WS.10).aspx UAV is a typo, sorry for that, UAC is of course correct.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Thanks Meinolf, I read that NewSid was no longer supported by Microsoft. I have deployed SysPrep but not often. I know how it works although I should revise it. Anyway, my main question remains unanswered, but I appreciate your help!. Thanks a lot. Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Hello, please use your lab machine VM and urn sysprep on it then try again the same. "I read that NewSid was no longer supported by Microsoft" NewSID was NEVER supported from Microsoft.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Meinolf, NewSID was never supported by Microsoft?. thank you. Anyway, it worked, and works I think, I mean, my colleagues usually used them when they have a VMWare machine, and then, copy the folder to have another same machine, I start it up and just after that I run NewSID. It is a third party software, therefore, not supported by Microsoft, but it works. Thanks a lot for your assistance!!Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)

Andy Qi, Thanks for your reply. What I mean is that if a user belongs to a group, and this groups belongs to the "Enterprise/Domain Administrator" .... does not the user have the Admnistrator priviledges?. Id say he has such priviledges. Regarding all your explnation (which is very appreciated by the way) , I never had to do such things to join a computer as the second, third... Domain Controller, I just did the typical easy steps, and always worked. Humblily Id say that is not the problem, but Ill do as you suggest. Thanks a lot!! Luis Olas Tcnico/Admon Sistemas . Sevilla (Espaa - Spain)