Cannot set TRUSTED_FOR_DELEGATION flag in userAccountControl for A

[Guest]

On a Windows 2000 Domain Controller, while logged in as Administrator, I am
unable to set the TRUSTED_FOR_DELEGATION flag in the userAccountControl
attribute for the Administrator account. I can do this without problem on a
Windows 2003 Domain Controller in another unrelated domain.

The error is: A required privelege is not held by the client.

When I look at the Account tab of the Properties dialog of the Administrator
account (in Active Directory Users & Computers snap-in), all of the Account
Options checkboxes are grayed out except for the top two password related
checkboxes.

Ultimately, I am trying to add a Windows 2003 server as a DC to this domain.
I have already adprep'd the forest and domain. The domain replicates to
the new DC, but promotion of the server to DC fails with access denied.

Yes, the Administrators account is listed in the Enable computer and user
accounts to be trusted for delegation policy and the Administrator account is
indeed a member of Administrators for the domain.

Any ideas on what else might need to be done?

Thanks!

 

[Guest]

By using a regular user account and adding it to all of the groups that the
Administrator account belongs to, I was able to set the
TRUSTED_FOR_DELEGATION flag. I was also able to use this account to promote
the Win2k3 machine to DC as an additional DC in the domain.

Still, I would definitely like to understand why the Administrator account
Account Options are grayed out and unchangeable.

 

[Guest]

Interesting. From the new win2k3 DC I can now set the Administrator Account
Options, but from the original, master DC running Windows 2000 the
Administrator Account options are still grayed out.