AD DS: This domain controller must have “Enable computer and user accounts to be trusted for delegation“ granted to the Builtin Administrators security group

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

This domain controller must have the Enable computer and user accounts to be trusted for delegation user right granted to the Builtin Administrators security group if the domain controller is used as a replication partner during a domain controller promotion.

Impact

Installation of additional domain controllers (promoting domain controllers) in this domain may fail if they select this domain controller as a replication partner during the installation.

Not granting the trusted-for-delegation right to the Administrators security group is a common cause of failure for installation of additional domain controllers. If this domain controller is selected as a replication partner during the promotion of an additional (replica) domain controller, this domain controller requires access to resources on the computer that you are promoting. If this user right is not granted to the Builtin Administrators security group, access to the resources will fail.

During the promotion of an additional domain controller, the UserAccountControl attribute for the computer that you are promoting must be modified. If the Enable computer and user accounts to be trusted for delegation user right is not granted to the Builtin\Administrators security group on this domain controller, modification of the UserAccountControl attribute cannot be completed, which causes the promotion of the additional (replica) domain controller to fail.

Resolution

Verify that the current domain controllers in this domain have the Enable computer and users accounts to be trusted for delegation user right granted to the Builtin Administrators group.

If a Group Policy object (GPO) other than the Default Domain Controller Policy is applied to domain controllers, verify that the Enable computer and users accounts to be trusted for delegation user right is granted to the Builtin Administrators group in the other GPO.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify that the user right “Enable computer and user accounts to be trusted for delegation” is granted (using the Group Policy Results Wizard)

  1. Log on to the domain controller as a member of the Domain Admins group.

  2. Click Start, click Administrative Tools, and then click Group Policy Management.

  3. Expand Forest: <forest name>, right-click Group Policy Results, and then click Group Policy Results Wizard.

  4. On the Welcome page, click Next.

  5. Click This computer, and then click Next.

  6. Click Do not display user policy settings in the results (display computer policy settings only), and then click Next.

  7. On the Summary page, click Next, and then click Finish.

  8. Click Settings, and then click show all.

  9. Verify that the Enable computer and user accounts to be trusted for delegation user right is granted to BUILTIN\Administrators under the following node:

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment

  10. Note the value of the Winning GPO for this policy setting.

If the user right Enable computer and user accounts to be trusted for delegation is not granted to the Builtin Administrators group, use the following procedure to grant it. The following procedure involves editing the Default Domain Controllers Policy. However, if another GPO—other than the Default Domain Controller Policy—was the Winning GPO in the previous procedure, complete this procedure on the other GPO.

To grant the user right “Enable computer and user accounts to be trusted for delegation” in a domain-based GPO

  1. Click Start, click Administrative Tools, and then click Group Policy Management.

  2. Expand Forest: <forest name>, expand Domains, expand <domain name>, and then expand Domain Controllers. If you have placed this domain controller in a different OU than Domain Controllers, expand that OU.

  3. Right-click Default Domain Controllers Policy (or the Winning GPO), and then click Edit.

  4. In the console tree, expand the following node:

    Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment

  5. In the details pane, double-click Enable computer and user accounts to be trusted for delegation.

  6. Click Add User or Group, type Administrators, and then click OK.

Note

To apply the policy update immediately, open an elevated command prompt, and then run the command gpupdate /force.

Additional references

Article 250874 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=169206)