Article ID: 2738746 - View products that this article applies to.
Consider the following scenario:
In this scenario, you receive access denied errors.
When you configure the first domain controller in a forest or a new domain, the user's local account is converted to a domain security principal and is added to matching domain built-in groups, such as Users and Administrators. Because there are no built-in local Schema Admins, Domain Admins, or Enterprise Admins groups, these memberships are not updated in the domain groups, and you are not added to the Domain Admins group.
To work around this behavior, use Dsa.msc, Dsac.exe, or the Active Directory Windows PowerShell module to add the user to the Domain Admins and Enterprise Admins groups as necessary. We do not recommend that you add the user to the Schema Admins group unless you are currently performing a schema upgrade or modification.
After you log off and then log back on, the group membership changes will take effect.
This behavior is expected and is by design.
Although this behavior has always been present in AD DS, improved security procedures in business networks have exposed the behavior to customers who follow Microsoft best practices for using the built-in Administrator account.
The built-in Administrator account makes sure that at least one user has full administrative group membership in a new forest.
Article ID: 2738746 - Last Review: September 19, 2012 - Revision: 4.0