Solved

BuiltIn\Administrator rights have been modified - ADMT migration

Posted on 2010-08-20
4
564 Views
Last Modified: 2012-05-10
Hi,

 

I am planning for an ADMT migration and have discovered that the default rights in the source domain for the builtin administrators has been changed. I am currently unaware of why the rights have been modified from their out of the box state.

 

I have a virtualised test environment where I am planning the migration. After adding the domain admins to the builtin\administrators group in the source domain I noticed that I was still unable to perform administrative functions in the source domain. I then compared the rights delegated to the builtin\administrators to an out of the box domain. For whatever reasons the rights have been removed.

Needless to say, the ADMT tool throws up access denied errors all over the place.

Is anyone able to offer some suggestions on how I am best to work forward with this? Should I be looking to create a new group and delegate control over the whole directory to it?

I have concerns with the configuration of the source domain as it is not standard. Will the changes that have been made be supported by Microsoft?

 

Any help / suggestions would be appreciated.

 

Cheers

 

Aidan
0
Comment
Question by:aideb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 33487120
To restate, your production AD domain has had its Administrators group's rights modified (limited in some way).  You want to know how to regain complete administrative control to your AD.

To answer that, we will need to know more about your production AD.  Is it 2003 or 2008 (you listed both in your Tags)?  On what type of server do your FSMO roles rest?

Justin
0
 
LVL 2

Author Comment

by:aideb
ID: 33491106
The domain is at a 2003 functional level and has mainly 2003 servers (some 2008)
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 500 total points
ID: 33500587
Is this a domain you inherited?  Is it possible that the prior admin(s) hardened the default MS policies?  There are several methodologies to do this, but I would start here:

http://technet.microsoft.com/en-us/library/cc773365%28WS.10%29.aspx

I know it will be a pain, but work backward through the processes it walks through.  You are likely to find where the change was made this way.

Justin
0
 
LVL 2

Author Closing Comment

by:aideb
ID: 33574544
Ended up delgating rights through AD to a new group to reduce risk
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question