ADMT Update User Rights option

Posted on 2009-02-13
Last Modified: 2012-05-06
What kind of rights is migrated when you select Update User Rights option in ADMT? I am having an error message when I use this option when migrating users with ADMT 3.0. Here are the error: ERR2:7228 Error updating user rights for CN=UserName, rc=-2147024891  Access is denied.

I want to know what kind of rights is migrated so I can take a clear decision if I can skip this option during my migration process.
Question by:SysAdmWin
    LVL 13

    Expert Comment

    Hello SysAdmWin,

    It looks like you can safely ignore that error message. See the following MS KB for reference:



    Author Comment

    It's not the same thing. My error message is Access Denied and I'm not migrating from NT 4, I'm migrating from a child Windows 2000 Domain to my main Windows 2003 Domain. Noboby can tell my exactly what this option does exactly???
    LVL 1

    Accepted Solution

    I am having this same exact issue (well not me personally, but a colleague).  It works for me.

    In my scenario, I'm migrating from one child domain to another child domain in the same forest.  I am a domain administrator in both child domains.  I can migrate by using this "update user rights" option without issue.

    My colleague however is delegated rights to specific OUs/Objects in both domains.  I'm trying to have them do migrations without being a full domain administrator.  (Maybe this is my first issue?).  I can't for the life of me find specific information citing the need to be a domain admin.

    At any rate, I don't fully understand this user rights option.  From my knowledge of user rights, they apply to specific local machines (i.e. via local security policy, or GPO).  These rights/privileges are stored locally on machines.  The ADMT tool only has access to the server ADMT is installed on, and the DCs involved in the migration.  Lastly user rights are most often provided via groups.  

    With all that said I don't see how these users could possibly have *any* types of user rights on the DCs themselves, so I don't see how this option is even useful.  Am I completely missing something?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now