Problems creating a Domain Administrator Account in AD

[swpmre]

Hi,

 

I am trying to create a Domain Administrator account so admins can logon to PCs and make changes.

 

I've done this, by creating a new user on the DC in AD, then adding them to the "Domain Admins" group.

 

However when I logon with this new account, I don't get full admin rights on the local machine OR on the DC - for instance, I can't change security settings in Internet Explorer.

 

This is a fresh install of Windows Server 2008 Standard. There are no Group Policies that apply to this account (I've double checked) and no other restrictions that I can see.

 

"Domain Admins" is definitely also a member of the Builtin/Administrators group.

 

In order to check I've not gone mad, I've created another account using this very basic step by step video here

 

YouTube - &#x202aCreating a personal domain Administrator account Server 2008 - AD DS&#x202c‏

 

And still I don't seem to have full local admin rights.

 

Am I missing something obvious?

[AngryTechnician]

Sounds like there are Group Policies applying to the computer account that have settings defined in the User Configuration section. Have you run an RSoP against the computer and account in question?

[swpmre]

Hi,

Thanks for the response. I've run RSOP for both the new account and the default administrator accounts. There are no GP's being applied beyond the default Domain Policies. The response I get from RSOP is the same for the new admin account and the default admin account.

 

Yet there are differences. Eg, if I go to Internet Options in IE, in the administrator account I can edit security settings, in the new admin account, I cannot.

[KK20]

Do you have any local policies that have been copied into default user? Local policies would still affect a domain admin if no GPOs override them. After you have logged out on the client, copy an ntuser.dat across from somewhere you know works (or from another admin)

[swpmre]

Hi, There are no other active local policies. At the moment, I am not trying to logon to a client, I am only testing logging onto the DC.

[pete]

You are doing things from an elevated prompt where necessary, right?

 

For certain things, being a Domain Admin isn't enough - you have to explicitly elevate your rights.

[swpmre]

I haven't changed anything in secpol, so as far as I understand it, my rights should be correct? In UAC, behaviour for admin users is set to "prompt for consent".

[sted]

the user administrator bypasses uac whereas a n other admin evern if its a direct copy of the same account will need to run as administrator for certain things or go through uac prompts

[swpmre]

Hi sted, I understand that. But I am not getting any UAC prompts when logged on as the new administrator account on the DC. Even though the UAC is set to prompt for consent.

[sted]

is it worth copying the working admin account rather than creating a new one from scratch?

[swpmre]

Yeah, tried that too.

 

I'm going to give up now. It is working on a client fine. Its only when I logon to the Domain Controller that I don't quite have full rights as I think I should have. So if I need to do certain things on the DC, I'll have to logon as the local administrator.

 

Thanks everyone for your thoughts.