Just took over a SBS network for a company that outed their old admin. The company is trying to do everything it can to not utilize the old admin any longer... including any future contact. One of my first tasks was to make sure the old admin could no longer access the network. I logged into the server under the built-in Administrator account, changed that password immediately, but then was shocked to what I found. I could not do many things an admin, and a Domain Admin at that, should be able to do. I cannot, for example, delete the old admins AD user account, I cannot create new user accounts utilizing the Administrator template, etc. Nothing of privilege can I do. I checked the Domain Admin group, I can confirm I am a part of that group. I checked Group Policy... nothing strange there. Ran a Group Policy report on the Administrator account and it belongs to these security groups:
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
[domain-name-removed]\Group Policy Creator Owners
There is no other super-user account that I can find& the only candidate would be the User account for the old admin& a separate account than the Administrator account& but his old account is not part of any special group other than the same listed above& so anything that would block my account from doing much would block his account too.