Skip navigation

JSI Tip 6751. When you try to promote a Windows 2000 Server as a Replica, DCPromo issues an 'Access Denied'?

If you examine the Dcpromoui.log file, you see that the initial steps were successful, the server is now a member server, but it failed because DCPromo could not modify the machine account.

Members of the Administrators group have the Delegation Privilege right by default. If you used an account the is not an Administrators member, it must be granted the Delegation Privilege right.

NOTE: If you did grant the Delegation Privilege right, it is possible that replication latency has delayed its' application.

To grant the Delegation Privilege right:

1. Open the Default Domain Controllers Group Policy snap-in.

2. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

3. Double-click Enable Computer and User Accounts to be trusted for Delegation.

4. Add the appropriate groups or users.

5. Open a CMD prompt, type secedit /refreshpolicy machine_policy /enforce, and press Enter.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.