Here is my issue and I am first trying to determine if I am just not understanding AD or if there is actually something wrong because my DC promotion was problematic. If I am not understanding AD then I hope someone will take pity and help me.
I have a 2012 server as DC for company.com and a 2012 server as a child DC child.company.com and here are my issues.
1. I make a new used in company.com called TEST. I make a global group in company.com called TESTGROUP. I add TEST to TESTGROUP and make TEST GROUP TEST's primary group and remove TEST from DOMAIN USERS. TESTGROUP IS NOT A MEMBER OF ANY GROUP. My problem is TEST STILL ACTS LIKE IT HAS DOMAIN USER RIGHTS.
2. I try to login to a computer on child.company.com as a Enterprise Admin. I can login. However I cannot elevate privilages. Shouldn't I be able too?