Resolution
fact
Directory and Resource Administrator 7.x
fact
Directory and Resource Administrator 8.0
symptom
Error: 'Could not determine if account is an Administrator in the domain' received when installing Directory and Resource Administrator.
cause
DRA is not able to enumerate nested groups.
fix
The issue can occur if the Service Account is not in the main Domain Admins group but is added to a group that is then nested in the Domain Admins group. The API Directory and Resource Administrator is using to determine whether a user is an administrator (NetUserGetLocalGroups() with the LG_INCLUDE_INDIRECT option) does not look at group nesting. In NT4 and Win2k mixed-mode, you can not add a global group to another global group, but in native-mode you can.
This is scheduled to be addressed in a future version of DRA. The workaround is to specifically add the service account directly to the Domain Admins group.
Directory and Resource Administrator 7.x
fact
Directory and Resource Administrator 8.0
symptom
Error: 'Could not determine if account is an Administrator in the domain' received when installing Directory and Resource Administrator.
cause
DRA is not able to enumerate nested groups.
fix
The issue can occur if the Service Account is not in the main Domain Admins group but is added to a group that is then nested in the Domain Admins group. The API Directory and Resource Administrator is using to determine whether a user is an administrator (NetUserGetLocalGroups() with the LG_INCLUDE_INDIRECT option) does not look at group nesting. In NT4 and Win2k mixed-mode, you can not add a global group to another global group, but in native-mode you can.
This is scheduled to be addressed in a future version of DRA. The workaround is to specifically add the service account directly to the Domain Admins group.
Additional Information
Formerly known as NETIQKB41205