Solved

Migration of built in groups

Posted on 2014-04-04
2
655 Views
Last Modified: 2014-04-30
We are doing cross forest migration using QMM for AD. I have a concern related to the bullt in groups “domain admins” and “domain users”  that we are not migrating and making sure that the users who were in those groups in the source and once they are migrated they don’t lose access to the resources. We won’t be migrating those groups to the target. . What is the best tool to use to analyze permissions? How do you usually re-assign permissions in the target for those built in groups? What is the simplest and best approach here to ensure the access to resources after the migration.
0
Comment
Question by:claudiamcse
2 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 39979520
We won’t be migrating those groups to the target.  You can't have them and not migrate them..
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39979690
Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT \ QM) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT \ QM migration objects.

If you want to migrate domain admins and domain users, you need to use SID mapping file for migration and with ADMT you can use security translation wizard to translate security on shares, NTFS security on already migrated servers but you can't simply migrate those groups
With security translation its possible to replace source domain admins \ domain users with target domain admins \ domain users

I don't know if this feature is available with QM, please check
Below post shows how to create SID mapping file and do security translation for built-in principles with already migrated objects
http://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

With ADMT,
1st migrate server with standard ADMT computer migration wizard
After that use above method to translate built-in accounts security

Mahesh.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Viewers will learn the different options available in the Backstage view in Excel 2013.
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

30 Experts available now in Live!

Get 1:1 Help Now