Solved

BuiltIn\Administrator rights have been modified - ADMT migration

Posted on 2010-08-20
4
566 Views
Last Modified: 2012-05-10
Hi,

 

I am planning for an ADMT migration and have discovered that the default rights in the source domain for the builtin administrators has been changed. I am currently unaware of why the rights have been modified from their out of the box state.

 

I have a virtualised test environment where I am planning the migration. After adding the domain admins to the builtin\administrators group in the source domain I noticed that I was still unable to perform administrative functions in the source domain. I then compared the rights delegated to the builtin\administrators to an out of the box domain. For whatever reasons the rights have been removed.

Needless to say, the ADMT tool throws up access denied errors all over the place.

Is anyone able to offer some suggestions on how I am best to work forward with this? Should I be looking to create a new group and delegate control over the whole directory to it?

I have concerns with the configuration of the source domain as it is not standard. Will the changes that have been made be supported by Microsoft?

 

Any help / suggestions would be appreciated.

 

Cheers

 

Aidan
0
Comment
Question by:aideb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 33487120
To restate, your production AD domain has had its Administrators group's rights modified (limited in some way).  You want to know how to regain complete administrative control to your AD.

To answer that, we will need to know more about your production AD.  Is it 2003 or 2008 (you listed both in your Tags)?  On what type of server do your FSMO roles rest?

Justin
0
 
LVL 2

Author Comment

by:aideb
ID: 33491106
The domain is at a 2003 functional level and has mainly 2003 servers (some 2008)
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 500 total points
ID: 33500587
Is this a domain you inherited?  Is it possible that the prior admin(s) hardened the default MS policies?  There are several methodologies to do this, but I would start here:

http://technet.microsoft.com/en-us/library/cc773365%28WS.10%29.aspx

I know it will be a pain, but work backward through the processes it walks through.  You are likely to find where the change was made this way.

Justin
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33574544
Ended up delgating rights through AD to a new group to reduce risk
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question