Windows 2003 Server - Domain Admins don't have Admin Rights on W2K3 servers

Posted on 2005-04-04
Medium Priority
Last Modified: 2010-04-18
We have recently added 2 Windows 2003 servers to a domain.  The other machines on the domain and the DNS server are Windows 2000 systems with the latest service packs.  I verfied that the W2K3 systems are defined to the DNS active directory (again, the DNS server is a Windows 2000 server).  I can log on to the Windows 2003 systems as a Domain Administrator, but I seem to have limited administrative rights.  For example, I was able to install SQL Server 2000, but I can't define other network users to the Windows 2003 systems (i.e., when attempting to add domain users to the system, the Windows 2003 servers are only allowing me to access local user accounts, even thought I'm logged in as a Domain Administrator.  Is there some incompatability issue with Windows 2003 servers running in a domain controlled by a Windows 2000 server?  Is there something I need to set in the security or local policies on the 2003 systems?  I appreciate any suggestions you might have.
Question by:expresivqa
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1

Expert Comment

ID: 13702889
are the win2003 servers Domain Controllers?


Author Comment

ID: 13702984
Hi tonyteri,
Thanks for your response.  No, neither of the Windows 2003 servers are domain controllers.  The domain controller is a Windows 2000 server.  Of the Windows 2003 servers, one is running Windows 2003 'Standard' edition and is being used as a database server.  The other 2003 system is running Windows 2003 'Web Edition' and is being used as a Web application server.
LVL 51

Accepted Solution

Netman66 earned 2000 total points
ID: 13703582
Have you added the new servers as member servers?

If so, you need to take a look at the local Administrators group on the servers to make sure the Domain Admins group is a member.

If it is, then there might be policies at work in the domain for Restricted Groups that is "undoing" the group nesting.

Create a new OU in your AD called Member Servers.  Move the member servers into this OU.  Right click the OU and select Properties, then Group Policy tab, then check the box at the bottom for Block Policy Inheritance.

Let us know if your Domain Admin Account feels better now.
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.


Expert Comment

ID: 13704258
Hi tonyteri
Please check the dialog log you are using to add users, it should have and entry (The second one from top) called "From This Location:", just make sure that you have the domain name in there, if not then press the button "Locations" and choose your domain from the popup windows, then press ok.
hope this might help.


Expert Comment

ID: 13704260
I ment the Dialog Box,  Sorry :)

Author Comment

ID: 13707598
Thanks folks.  I really appreciate the comments.  I know that I'm showing my very novice level of networking computers here, but:
1.  Netman66, what do your acronyms 'OU' and 'AD' mean?
2.  CapFaris - On the 2003 servers, when I click the 'Locations' button, it is only giving me the machine's domain; not the network domain, even though I'm logged into the machine as a Domain Administrator.
LVL 51

Expert Comment

ID: 13709048
OU=Organizational Unit
AD= Active Directory


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question