Solved

Migration of built in groups

Posted on 2014-04-04
2
727 Views
Last Modified: 2014-04-30
We are doing cross forest migration using QMM for AD. I have a concern related to the bullt in groups “domain admins” and “domain users”  that we are not migrating and making sure that the users who were in those groups in the source and once they are migrated they don’t lose access to the resources. We won’t be migrating those groups to the target. . What is the best tool to use to analyze permissions? How do you usually re-assign permissions in the target for those built in groups? What is the simplest and best approach here to ensure the access to resources after the migration.
0
Comment
Question by:claudiamcse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39979520
We won’t be migrating those groups to the target.  You can't have them and not migrate them..
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39979690
Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT \ QM) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT \ QM migration objects.

If you want to migrate domain admins and domain users, you need to use SID mapping file for migration and with ADMT you can use security translation wizard to translate security on shares, NTFS security on already migrated servers but you can't simply migrate those groups
With security translation its possible to replace source domain admins \ domain users with target domain admins \ domain users

I don't know if this feature is available with QM, please check
Below post shows how to create SID mapping file and do security translation for built-in principles with already migrated objects
http://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

With ADMT,
1st migrate server with standard ADMT computer migration wizard
After that use above method to translate built-in accounts security

Mahesh.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question