[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

BuiltIn\Administrator rights have been modified - ADMT migration

Posted on 2010-08-20
4
Medium Priority
?
573 Views
Last Modified: 2012-05-10
Hi,

 

I am planning for an ADMT migration and have discovered that the default rights in the source domain for the builtin administrators has been changed. I am currently unaware of why the rights have been modified from their out of the box state.

 

I have a virtualised test environment where I am planning the migration. After adding the domain admins to the builtin\administrators group in the source domain I noticed that I was still unable to perform administrative functions in the source domain. I then compared the rights delegated to the builtin\administrators to an out of the box domain. For whatever reasons the rights have been removed.

Needless to say, the ADMT tool throws up access denied errors all over the place.

Is anyone able to offer some suggestions on how I am best to work forward with this? Should I be looking to create a new group and delegate control over the whole directory to it?

I have concerns with the configuration of the source domain as it is not standard. Will the changes that have been made be supported by Microsoft?

 

Any help / suggestions would be appreciated.

 

Cheers

 

Aidan
0
Comment
Question by:aideb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 1000 total points
ID: 33487120
To restate, your production AD domain has had its Administrators group's rights modified (limited in some way).  You want to know how to regain complete administrative control to your AD.

To answer that, we will need to know more about your production AD.  Is it 2003 or 2008 (you listed both in your Tags)?  On what type of server do your FSMO roles rest?

Justin
0
 
LVL 2

Author Comment

by:aideb
ID: 33491106
The domain is at a 2003 functional level and has mainly 2003 servers (some 2008)
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 1000 total points
ID: 33500587
Is this a domain you inherited?  Is it possible that the prior admin(s) hardened the default MS policies?  There are several methodologies to do this, but I would start here:

http://technet.microsoft.com/en-us/library/cc773365%28WS.10%29.aspx

I know it will be a pain, but work backward through the processes it walks through.  You are likely to find where the change was made this way.

Justin
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33574544
Ended up delgating rights through AD to a new group to reduce risk
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question