+ Post New Thread
Results 1 to 11 of 11
Windows Server 2008 Thread, Problems creating a Domain Administrator Account in AD in Technical; Hi, I am trying to create a Domain Administrator account so admins can logon to PCs and make changes. I've ...
  1. #1
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17

    Problems creating a Domain Administrator Account in AD

    Hi,

    I am trying to create a Domain Administrator account so admins can logon to PCs and make changes.

    I've done this, by creating a new user on the DC in AD, then adding them to the "Domain Admins" group.

    However when I logon with this new account, I don't get full admin rights on the local machine OR on the DC - for instance, I can't change security settings in Internet Explorer.

    This is a fresh install of Windows Server 2008 Standard. There are no Group Policies that apply to this account (I've double checked) and no other restrictions that I can see.

    "Domain Admins" is definitely also a member of the Builtin/Administrators group.

    In order to check I've not gone mad, I've created another account using this very basic step by step video here

    YouTube - &#x202aCreating a personal domain Administrator account Server 2008 - AD DS&#x202c‏

    And still I don't seem to have full local admin rights.

    Am I missing something obvious?

  2. #2

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,211 Times in 761 Posts
    Rep Power
    394
    Sounds like there are Group Policies applying to the computer account that have settings defined in the User Configuration section. Have you run an RSoP against the computer and account in question?

  3. #3
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17
    Hi,
    Thanks for the response. I've run RSOP for both the new account and the default administrator accounts. There are no GP's being applied beyond the default Domain Policies. The response I get from RSOP is the same for the new admin account and the default admin account.

    Yet there are differences. Eg, if I go to Internet Options in IE, in the administrator account I can edit security settings, in the new admin account, I cannot.

  4. #4

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    Do you have any local policies that have been copied into default user? Local policies would still affect a domain admin if no GPOs override them. After you have logged out on the client, copy an ntuser.dat across from somewhere you know works (or from another admin)

  5. #5
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17
    Hi, There are no other active local policies. At the moment, I am not trying to logon to a client, I am only testing logging onto the DC.

  6. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,628
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    You are doing things from an elevated prompt where necessary, right?

    For certain things, being a Domain Admin isn't enough - you have to explicitly elevate your rights.

  7. #7
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17
    I haven't changed anything in secpol, so as far as I understand it, my rights should be correct? In UAC, behaviour for admin users is set to "prompt for consent".

  8. #8


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,576
    Thank Post
    228
    Thanked 852 Times in 731 Posts
    Rep Power
    294
    the user administrator bypasses uac whereas a n other admin evern if its a direct copy of the same account will need to run as administrator for certain things or go through uac prompts

  9. #9
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17
    Hi sted, I understand that. But I am not getting any UAC prompts when logged on as the new administrator account on the DC. Even though the UAC is set to prompt for consent.

  10. #10


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,576
    Thank Post
    228
    Thanked 852 Times in 731 Posts
    Rep Power
    294
    is it worth copying the working admin account rather than creating a new one from scratch?

  11. #11
    swpmre's Avatar
    Join Date
    Sep 2007
    Location
    Salford, Greater Manchester
    Posts
    72
    Thank Post
    14
    Thanked 3 Times in 2 Posts
    Rep Power
    17
    Yeah, tried that too.

    I'm going to give up now. It is working on a client fine. Its only when I logon to the Domain Controller that I don't quite have full rights as I think I should have. So if I need to do certain things on the DC, I'll have to logon as the local administrator.

    Thanks everyone for your thoughts.

SHARE:
+ Post New Thread

Similar Threads

  1. Administrator account no longer has admin privileges
    By MattCowen in forum Windows Vista
    Replies: 12
    Last Post: 18th October 2009, 12:48 PM
  2. Replies: 1
    Last Post: 6th October 2008, 10:13 AM
  3. types of administrator account
    By disinfo in forum Windows
    Replies: 21
    Last Post: 16th October 2006, 10:14 AM
  4. Renaming the Administrator Account
    By tosca925 in forum Windows
    Replies: 20
    Last Post: 3rd July 2006, 05:02 PM
  5. Administrator Account
    By Gatt in forum Windows Vista
    Replies: 0
    Last Post: 2nd April 2006, 09:51 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •