Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Migration of built in groups

Posted on 2014-04-04
2
686 Views
Last Modified: 2014-04-30
We are doing cross forest migration using QMM for AD. I have a concern related to the bullt in groups “domain admins” and “domain users”  that we are not migrating and making sure that the users who were in those groups in the source and once they are migrated they don’t lose access to the resources. We won’t be migrating those groups to the target. . What is the best tool to use to analyze permissions? How do you usually re-assign permissions in the target for those built in groups? What is the simplest and best approach here to ensure the access to resources after the migration.
0
Comment
Question by:claudiamcse
2 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39979520
We won’t be migrating those groups to the target.  You can't have them and not migrate them..
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39979690
Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT \ QM) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT \ QM migration objects.

If you want to migrate domain admins and domain users, you need to use SID mapping file for migration and with ADMT you can use security translation wizard to translate security on shares, NTFS security on already migrated servers but you can't simply migrate those groups
With security translation its possible to replace source domain admins \ domain users with target domain admins \ domain users

I don't know if this feature is available with QM, please check
Below post shows how to create SID mapping file and do security translation for built-in principles with already migrated objects
http://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

With ADMT,
1st migrate server with standard ADMT computer migration wizard
After that use above method to translate built-in accounts security

Mahesh.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question