Re: Domain Admin Server 2003

From: Bruce (Bruce_at_discussions.microsoft.com)
Date: 10/26/04 

Date: Tue, 26 Oct 2004 11:57:11 -0700

I no longer have Domain Admin rights and I am not in a privileged group. I
belive this happened because my account was granted Domain Admin rights and
then taken away. I believe that only Domain Admins can manage Domain Admins.
 Somehow my SID must still reflect Domain Admin status for the managing of my
account even though the Domain Admin rights have been taken away. Is there a
way to "scrub" my SID of the "hooks" it posses for the Domain Admin status?

"Steven L Umbach" wrote:

> Make sure that your account is in the OU that you have full control over. I
> believe that you can only manage regular user accounts when you are
> delegated full control to an OU. If your or any account is in a privileged
> group such as server operator, backup operator, etc then you will not be
> able to manage it as a regular user that has been delegated permissions for
> user accounts. --- Steve
>
>
> "Bruce" <Bruce@discussions.microsoft.com> wrote in message
> news:154FAD01-7CC8-40F3-B1CB-02E64ACADB1D@microsoft.com...
> >I had delegated Full rights to my OU's and then was granted Domain Admin
> > rights to perform a migration from NetWare to server 2003. The domain
> > Admin
> > rights have since been taken away and I once again have delegated full
> > rights
> > to my OU's. I was able to manage my own account before I was granted
> > Domain
> > Admin rights but since they have been taken away I cannot manage my own
> > account, all things are grayed out on the first line of tabs. How can I
> > get
> > the ability to manage my own account without having Domain Admin rights?
> > --
> > Bruce Fiedler
>
>
>

Relevant Pages

  • Re: domain permission problems
    ... i need an account in domain1 to have domain admin rights in domain 1 and 2. ... MCSE, MVP Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Service accounts best practices
    ... guidance on granting admin accounts. ... >> The only people who should have domain admin rights are the exact people ... >> doing domain admin work and it should be a very small group. ... >>>>Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.win2000.security)
  • Re: What permissions are needed to migrate SID?
    ... The user running ADMT must have Domain Admin rights in the source domain, ... he must have administrator rights on the machine running ADMT. ... One of my customer suggests that it would be best to delegate permissions ...
    (microsoft.public.windows.server.migration)
  • Re: Service accounts best practices
    ... > The only people who should have domain admin rights are the exact people ... > domain admin work and it should be a very small group. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... >>>>Can someone point me to a guide to securing service accounts? ...
    (microsoft.public.win2000.security)
  • Re: How to grand Access right to some mailboxs
    ... such "User" is already belong to Domain Admin ... Create a "normal" user account for that person to use (doing everthing ... with Domain Admin rights is not such a "good thing"). ... normal account the "Full mailbox access" rights on the mailbox. ...
    (microsoft.public.exchange.admin)