- You create a local administrator account on a computer this is running one of the following operating systems:
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- You log on by using the local administrator account instead of the built-in Administrator account and then configure the server to be the first domain controller in a new domain or forest. As expected, this local account becomes a domain account.
- You use this domain account to log on.
- You try to perform various Active Directory Domain Services (AD DS) operations.
In this scenario, you receive access denied errors.
After you log off and then log back on, the group membership changes will take effect.
Although this behavior has always been present in AD DS, improved security procedures in business networks have exposed the behavior to customers who follow Microsoft best practices for using the built-in Administrator account.
The built-in Administrator account makes sure that at least one user has full administrative group membership in a new forest.