Domain admin group vs. domain Administrators rights on a DC

AlbertGos 41 Reputation points
2022-03-11T19:33:32.367+00:00

Hi all,
Used to log on to our DC as domain\administrator but with more than one IT person now, wanted each admin to use their own admin-level account.

When using new admin account this morning, noticed that I could not change a .ini file in a program folder. It said I did not have enough rights.

I checked that:

  • the new account is in the Domain Admins group
  • the Domain Admins group is in the domain\Administrators group
  • the folder lists domain\Administrators with full permissions

so the new account should get inherited permissions first from Domain Admins and then from the domain's Administrators group (nested) - but obviously it doesn't.

Is there something funky on a DC where the rights do not show up correctly via inheritance?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,513 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Dave Patrick 426.2K Reputation points MVP
    2022-03-11T19:36:06.437+00:00

    Could be a UAC thing, might also try to run as administrator

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments No comments

  2. AlbertG 1 Reputation point
    2022-03-11T21:35:38.93+00:00

    Didn't seem to help. It seems like a folders permission thing.

    0 comments No comments

  3. Dave Patrick 426.2K Reputation points MVP
    2022-03-11T21:37:11.253+00:00

    whoami /groups

    may provide something useful.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Gary Reynolds 9,396 Reputation points
    2022-03-12T01:46:45.927+00:00

    Have a look at this tool which allows you see the permissions that have been assigned and then use the Trust Mode against the new admin account and the existing admin account to see if they have different permissions.

    https://nettools.net/acl-viewer/

    Gary.