1. Some users (non-administrators) exhibit the ability to add workstations to the domain while other users (also non-administrators) are denied that ability. Can I assume that is due to the user being authenticated by domain controllers with differing local security policies as outlined above (DC A does not allow, while DC B does allow)?
2. If the local security policy defined on DC B (specifically the "add workstations to domain" policy set to administrators and authenticated users) existed before the server was promoted to a DC, would that policy be inherited or assumed into the entire AD/Domain policy as a whole? And would this allow all authenticated users to add workstations or possibly creating a situation like in question 1 where it depends on where a users authentication takes place?
Debugging security policy issues can be quite involved. When a server is promoted to a DC, if it is the first DC then it obtains its security policies from the template defined for domain controllers, which, of course, is an .inf file, a text file and could have been altered before the dc was promoted. If the DC is not the first DC, then it gets its policy from the existing DC that becomes its replication partner. Of course, as mentioned before, GPOs on OUs can mean different users will be able to do different things. Check the health of your Active Directory, and then determine just what GPO's are affecting the user accounts.
This was first published in December 2003