Solved

Migration of built in groups

Posted on 2014-04-04
2
701 Views
Last Modified: 2014-04-30
We are doing cross forest migration using QMM for AD. I have a concern related to the bullt in groups “domain admins” and “domain users”  that we are not migrating and making sure that the users who were in those groups in the source and once they are migrated they don’t lose access to the resources. We won’t be migrating those groups to the target. . What is the best tool to use to analyze permissions? How do you usually re-assign permissions in the target for those built in groups? What is the simplest and best approach here to ensure the access to resources after the migration.
0
Comment
Question by:claudiamcse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39979520
We won’t be migrating those groups to the target.  You can't have them and not migrate them..
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39979690
Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT \ QM) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT \ QM migration objects.

If you want to migrate domain admins and domain users, you need to use SID mapping file for migration and with ADMT you can use security translation wizard to translate security on shares, NTFS security on already migrated servers but you can't simply migrate those groups
With security translation its possible to replace source domain admins \ domain users with target domain admins \ domain users

I don't know if this feature is available with QM, please check
Below post shows how to create SID mapping file and do security translation for built-in principles with already migrated objects
http://blog.thesysadmins.co.uk/admt-series-10-security-translation-wizard-local-profiles.html

With ADMT,
1st migrate server with standard ADMT computer migration wizard
After that use above method to translate built-in accounts security

Mahesh.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question