Share via

Domain controller prerequisites check fails- The Administrator account does not have the "Enable computer and user accounts to be trusted for delegation" right enabled

Maheswaran Shanmugavelu 0 Reputation points
2025-04-15T14:28:33.8333333+00:00

AD 2025-04-14 152652

The domain controller prerequisites check failed. The Administrator account lacks the "Enable computer and user accounts to be trusted for delegation" right. We enabled this right and rebuilt the domain controller, but the issue persists. See the screenshots for details.

Current Domain Functional Level: Windows Server 2016

New Domain Controller OS: Windows Server 2025

Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hoang Phan0701 75 Reputation points Independent Advisor
    2025-08-11T08:11:13.5733333+00:00

    Dear Maheswaran Shanmugavelu,

    My name is Hoang Phan, and I understand that you are having some query concern related to domain controller promotion.

    It seems that the user account used to execute DCPROMO hasn't been granted the "Enable computer and user accounts to be trusted for delegation" user right.

    Steps to resolve the issue:

    1. Verify that the default domain controllers policy exists in Active Directory.
      • If the domain controller policy doesn't exist, evaluate whether that condition is because of simple replication latency, an Active Directory replication failure or whether the policy has been deleted from Active Directory.
      • If the policy has been deleted, contact Microsoft Support to recreate the missing policy with the default policy GUID (Globally Unique Identifier). Don't manually recreate the policy with the same name and settings as the default.
      • If the default domain controllers policy exists in Active Directory on some domain controllers but not others, evaluate whether that inconsistency is due simple replication latency or a replication failure. Resolve as required.
    2. Verify that the server account is not protected from accidental deletion.
      • To do this, go to the Active Directory Administrative Center, find your server under the Computers listing within your domain, open the properties.
      • In the first section, right under the operating system information, make sure the Protect from accidental deletion checkbox is unchecked.
      • In the process of elevation to Domain Controller, the computer account for the server is deleted, and re-added as a Domain Controller. If this checkbox is clicked, this can't happen.
    3. Verify that the user account does the DCPROMO operation has been granted the "Enable computer and user accounts to be trusted for delegation" user right in the default domain controllers policy.
      • Run whoami /all to verify that the "Enable computer and user accounts to be trusted for delegation" user right exists in the users security token.
      • Note: By default, this right is granted to members of the Administrators security group in the target domain. The built-in Administrator account is a member of this security group but may have been removed.
      • If a user other than the built-in administrators group is doing DCPROMO promotions, either add that user account to the Administrators security group OR add the user account the "Enable computer and user accounts to be trusted for delegation" user right in the default domain controllers policy.
      • "Enable computer and user accounts to be trusted for delegation" was recently modified, or the policy granting the DCPROMO user account exists on some domain controllers in the domain but not others, check for simple replication latency or a replication failure in both Active Directory and File System Replication (FSR) / Distributed File System Replication (DFSR).
      • If the policy was recently modified, have the DCPROMO user account sign out and sign in.
    4. Verify that the default domain controllers policy is linked to the domain controllers OU and that all DC machine accounts stay in that OU.
      • If DC machine accounts stay in an alternate OU container, either move all DC machine accounts to the domain controllers OU or link the default domain controllers policy to the alternate OU container.
    5. Verify that the file system portion of default domain controllers policy exists in the SYSVOL share of the DC being used to apply policy on the computer being promoted or demoted.
      • If not present, it can be because of one or more of the following reasons:
      • Replication latency in FRS / DFSR
      • A replication failure in FRS / DFSR
        • The policy has been deleted from the SYSVOL. If the policy has been deleted, contact Microsoft Support to recreate the missing policy with the default policy GUID. Don't manually recreate the policy with the same name and settings as the default.
    6. The default domain policy or policy in general isn't applying to the logged on user
      • To check for policy inheritance, Windows Management Instrumentation (WMI) filtering or security descriptor problem that may be preventing policy from applying, run the following command:
      • gpresult /h result.html

    Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/access-denied-error-occurs-dcpromo

    I hope this information proves helpful. Please don’t hesitate to reach out if you need further clarification—I’ll be happy to assist 🙂

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Best regards,

    Hoang Phan

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.