Discussion:
Add user from another forest as a domain admin
(too old to reply)
m-m
2007-05-31 18:52:40 UTC
Permalink
Hello,
I am trying to run the ADMT migration tool but I keep running into
issues regarding permissions.

I have computers and users in one domain that need to be transferred
to a new domain in a totally different forest.

In order for the computer migration to work, the account ADMT is being
run on must be an admin on the computer being transferred, the source
DC and the target DC (correct?).

The easiest way in our organization to do this is to temporarily make
the account a domain admin in both domains.
However, I am unable to add a user from the target domain as a domain
admin in the source domain.

Any suggestions?
The domains are trusting each other (inbound and outbound external
trust).
mopalach
2007-05-31 19:03:01 UTC
Permalink
Yes you need to start off with an external trust between the two domains.
Then add the user in the built in admin group in active directory. After
that in your group policy for your computers add that users in the restricted
groups as a local admin. That will then replicate out to work stations so
they will be a local admin.
Post by m-m
Hello,
I am trying to run the ADMT migration tool but I keep running into
issues regarding permissions.
I have computers and users in one domain that need to be transferred
to a new domain in a totally different forest.
In order for the computer migration to work, the account ADMT is being
run on must be an admin on the computer being transferred, the source
DC and the target DC (correct?).
The easiest way in our organization to do this is to temporarily make
the account a domain admin in both domains.
However, I am unable to add a user from the target domain as a domain
admin in the source domain.
Any suggestions?
The domains are trusting each other (inbound and outbound external
trust).
m-m
2007-05-31 19:12:59 UTC
Permalink
Thanks for the response.
My trusts are verifying ok, but when I try to add the user as a domain
admin, I'm not able to select the other domain in the "locations"
area. I am only able to select users from the local domain/directory.
Therefore, I'm unable to add the outside acct as an admin...
Post by mopalach
Yes you need to start off with an external trust between the two domains.
Then add the user in the built in admin group in active directory. After
that in your group policy for your computers add that users in the restricted
groups as a local admin. That will then replicate out to work stations so
they will be a local admin.
Paul Williams [MVP]
2007-06-01 09:19:57 UTC
Permalink
As has already been stated, you cannot add a user from the trusted domain
into a global group in the trusting domain. Instead, you need to create a
global group in the trusted domain and add that group to the local
administrators group on all workstations that you plan to migrate. There
are several ways of doing this, here's a couple:
-- http://www.msresource.net/content/view/45/47/


You can also use CUSRMGR. Depending on the source domain, you also need
permissions on the DCs. If this is NT, you'll also need to add yourself
into the builtin administrators group. If this is 2k or k3, you can
delegate the permissions you need.

Note. Adding the ADMT account's group to the builtin administrators group
will not help you migrate the computer accounts, as that works the same way
as a local group (but across all DCs instead of one).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Joe Richards [MVP]
2007-05-31 21:06:27 UTC
Permalink
Domain Admins is a global group, it can only have members from the
domain the group exists in.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Post by m-m
Hello,
I am trying to run the ADMT migration tool but I keep running into
issues regarding permissions.
I have computers and users in one domain that need to be transferred
to a new domain in a totally different forest.
In order for the computer migration to work, the account ADMT is being
run on must be an admin on the computer being transferred, the source
DC and the target DC (correct?).
The easiest way in our organization to do this is to temporarily make
the account a domain admin in both domains.
However, I am unable to add a user from the target domain as a domain
admin in the source domain.
Any suggestions?
The domains are trusting each other (inbound and outbound external
trust).
jwd
2007-06-01 08:26:03 UTC
Permalink
Add the appropriate user from the source domain to the Administrators group
not Domain Admins. This is a Domain Local group so can therefore have
members from other domains. This will give you all the necessary rights to
use ADMT without having to use any Restricted Groups settings.

Best Regards
Joe Dunn MCSE
Post by Joe Richards [MVP]
Domain Admins is a global group, it can only have members from the
domain the group exists in.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Post by m-m
Hello,
I am trying to run the ADMT migration tool but I keep running into
issues regarding permissions.
I have computers and users in one domain that need to be transferred
to a new domain in a totally different forest.
In order for the computer migration to work, the account ADMT is being
run on must be an admin on the computer being transferred, the source
DC and the target DC (correct?).
The easiest way in our organization to do this is to temporarily make
the account a domain admin in both domains.
However, I am unable to add a user from the target domain as a domain
admin in the source domain.
Any suggestions?
The domains are trusting each other (inbound and outbound external
trust).
Paul Williams [MVP]
2007-06-01 09:25:46 UTC
Permalink
Post by jwd
Add the appropriate user from the source domain to the Administrators group
not Domain Admins. This is a Domain Local group so can therefore have
members from other domains. This will give you all the necessary rights to
use ADMT without having to use any Restricted Groups settings.
Perhaps you are referring to something else, but as far as I can tell the OP
wants to get the necessary permissions in the source domain, not the target
domain. Therefore he needs administrative permissions on all computers and
in the domain itself.

If the target is k3, you can delegate the permissions needed -you basically
only need create child for computer, user, group and inetOrgPerson objects
and, if using SID History, the Migrate-SID-History extended right.

As a technicallity, administrators is a builtin group, not a domain local.
While they act the same in most cases, technically they have no domain
affinity, which can cause the occasional bit of confusion. Note the SID -
S-1-5-32-544 - has no domain portion.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
jwd
2007-06-01 12:45:00 UTC
Permalink
Thanks for your reply Paul. I was a bit vague in my post where I said
'appropriate user'. I was assuming the user having Domain Admin rights in
the source domain.

For migrations that I have done in the past I have created a user account in
the source domain and added this to the source Domain Admins. I have then
added this same account to Administrators in the target domain thus giving
the account admin rights on DC's in both domains and source PC's. ADMT is
then run in the context of this source domain account.

Best Regards
Joe Dunn MCSE
Post by Paul Williams [MVP]
Post by jwd
Add the appropriate user from the source domain to the Administrators group
not Domain Admins. This is a Domain Local group so can therefore have
members from other domains. This will give you all the necessary rights to
use ADMT without having to use any Restricted Groups settings.
Perhaps you are referring to something else, but as far as I can tell the OP
wants to get the necessary permissions in the source domain, not the target
domain. Therefore he needs administrative permissions on all computers and
in the domain itself.
If the target is k3, you can delegate the permissions needed -you basically
only need create child for computer, user, group and inetOrgPerson objects
and, if using SID History, the Migrate-SID-History extended right.
As a technicallity, administrators is a builtin group, not a domain local.
While they act the same in most cases, technically they have no domain
affinity, which can cause the occasional bit of confusion. Note the SID -
S-1-5-32-544 - has no domain portion.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Continue reading on narkive:
Loading...