I recently performed a series of Domain Controller upgrades for a customer and experienced an error that does not appear to be commonly encountered. During the prerequisites check that is performed during the promotion, the following error was experienced:
“Verification of prerequisites for Active Directory preparation failed. The specified user does not have SeSecurityPrivilegeEnabled”
I had also noticed prior to the prerequisites check that the wizard was reporting my domain administrator account was not a member of either the Enterprise Admins or Schema Admins groups, which is required to extended the schema when promoting the first Windows Server 2012 domain controller. After researching the “SeSecurityPrivilegeEnabled” property, it appeared the domain administrator account did not have sufficient permissions over the “Manage auditing and security log” under the machines local group policy. To resolve the promotion issue, the following was performed:
1. Connect to an existing domain controller and open the group policy management console
2. Expand the domain and then the domain controllers OU and select to edit the default domain controllers group policy.
3. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment.
4. Select the “Manage auditing and security log” entry and open its properties.
5. Check the “Define these policy settings” checkbox and then use “Add user or group” button to add the Domain\Administrator account and Domain\Domain Admins group.
6. Close the group policy object editor and then open a new command prompt window and run “gpupdate /force”, additionally perform this step on the machine you are trying to promote to a domain controller.
7. Re-run the domain controller promotion wizard on the Windows Server 2012 platform and the prerequisites check should now complete.
That’s it, all done.