You are currently offline, waiting for your internet to reconnect

You receive access denied errors after you log on to a local administrator domain account

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Symptoms
Consider the following scenario:
  • You create a local administrator account on a computer this is running one of the following operating systems:
    • Windows Server 2012 
    • Windows Server 2008 R2 
    • Windows Server 2008 
    • Windows Server 2003  
  • You log on by using the local administrator account instead of the built-in Administrator account and then configure the server to be the first domain controller in a new domain or forest. As expected, this local account becomes a domain account.
  • You use this domain account to log on. 
  • You try to perform various Active Directory Domain Services (AD DS) operations.

In this scenario, you receive access denied errors.
Cause
When you configure the first domain controller in a forest or a new domain, the user's local account is converted to a domain security principal and is added to matching domain built-in groups, such as Users and Administrators. Because there are no built-in local Schema Admins, Domain Admins, or Enterprise Admins groups, these memberships are not updated in the domain groups, and you are not added to the Domain Admins group.
Workaround
To work around this behavior, use Dsa.msc, Dsac.exe, or the Active Directory Windows PowerShell module to add the user to the Domain Admins and Enterprise Admins groups as necessary. We do not recommend that you add the user to the Schema Admins group unless you are currently performing a schema upgrade or modification.

After you log off and then log back on, the group membership changes will take effect.
More information
This behavior is expected and is by design. 

Although this behavior has always been present in AD DS, improved security procedures in business networks have exposed the behavior to customers who follow Microsoft best practices for using the built-in Administrator account.

The built-in Administrator account makes sure that at least one user has full administrative group membership in a new forest.
Properties

Article ID: 2738746 - Last Review: 09/19/2012 17:45:00 - Revision: 4.0

Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 Standard, Microsoft Windows Server 2003 Service Pack 2

  • KB2738746
Feedback
var varAutoFirePV = 1; var varClickTracking = 1; var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write("