[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

BuiltIn\Administrator rights have been modified - ADMT migration

Hi,

 

I am planning for an ADMT migration and have discovered that the default rights in the source domain for the builtin administrators has been changed. I am currently unaware of why the rights have been modified from their out of the box state.

 

I have a virtualised test environment where I am planning the migration. After adding the domain admins to the builtin\administrators group in the source domain I noticed that I was still unable to perform administrative functions in the source domain. I then compared the rights delegated to the builtin\administrators to an out of the box domain. For whatever reasons the rights have been removed.

Needless to say, the ADMT tool throws up access denied errors all over the place.

Is anyone able to offer some suggestions on how I am best to work forward with this? Should I be looking to create a new group and delegate control over the whole directory to it?

I have concerns with the configuration of the source domain as it is not standard. Will the changes that have been made be supported by Microsoft?

 

Any help / suggestions would be appreciated.

 

Cheers

 

Aidan
0
aideb
Asked:
aideb
  • 2
  • 2
2 Solutions
 
Justin OwensITIL Problem ManagerCommented:
To restate, your production AD domain has had its Administrators group's rights modified (limited in some way).  You want to know how to regain complete administrative control to your AD.

To answer that, we will need to know more about your production AD.  Is it 2003 or 2008 (you listed both in your Tags)?  On what type of server do your FSMO roles rest?

Justin
0
 
aidebAuthor Commented:
The domain is at a 2003 functional level and has mainly 2003 servers (some 2008)
0
 
Justin OwensITIL Problem ManagerCommented:
Is this a domain you inherited?  Is it possible that the prior admin(s) hardened the default MS policies?  There are several methodologies to do this, but I would start here:

http://technet.microsoft.com/en-us/library/cc773365%28WS.10%29.aspx

I know it will be a pain, but work backward through the processes it walks through.  You are likely to find where the change was made this way.

Justin
0
 
aidebAuthor Commented:
Ended up delgating rights through AD to a new group to reduce risk
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now