?
Solved

Migration of built in groups

Posted on 2014-04-04
2
Medium Priority
?
751 Views
Last Modified: 2014-04-30
We are doing cross forest migration using QMM for AD. I have a concern related to the bullt in groups “domain admins” and “domain users”  that we are not migrating and making sure that the users who were in those groups in the source and once they are migrated they don’t lose access to the resources. We won’t be migrating those groups to the target. . What is the best tool to use to analyze permissions? How do you usually re-assign permissions in the target for those built in groups? What is the simplest and best approach here to ensure the access to resources after the migration.
0
Comment
Question by:claudiamcse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39979520
We won’t be migrating those groups to the target.  You can't have them and not migrate them..
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39979690
Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT \ QM) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT \ QM migration objects.

If you want to migrate domain admins and domain users, you need to use SID mapping file for migration and with ADMT you can use security translation wizard to translate security on shares, NTFS security on already migrated servers but you can't simply migrate those groups
With security translation its possible to replace source domain admins \ domain users with target domain admins \ domain users

I don't know if this feature is available with QM, please check
Below post shows how to create SID mapping file and do security translation for built-in principles with already migrated objects
http://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

With ADMT,
1st migrate server with standard ADMT computer migration wizard
After that use above method to translate built-in accounts security

Mahesh.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question