Re: Permissions Issue During NT4 to AD migration

I don't understand why if the AD domain admins are members of the
global group Administrators on the NT4 domain they would not be
included in the local account

that is because it is NOT a global group.... administrators is
LOCAL....domain admins is GLOBAL

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<joe.beaulieu@xxxxxxxxxx> wrote in message
news:1150316452.040929.282490@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Jorge - I think you also replied on my technet posting of the
same topic. Thanks for your time.

I don't understand why if the AD domain admins are members of the
global group Administrators on the NT4 domain they would not be
included in the local account. When you join the domain the Domain
Admins local group gets added to the local Administrators group on the
workstation.

The ADMT will not run without me implicitly adding the AD Domain Admins
group to the local machine, as you suggested. This is a workaround
that I have used, but I have better than 500 machines to address.
There is no mention anywhere in the ADMT setup instructions about this
need. It doesn't seem to make sense.


Jorge de Almeida Pinto [MVP] wrote:
Adding the AD Domain Admins to the NT4 Administrators of the
domain does not give you permissions on member servers or clients. For
that
you need to
add the AD Domain Admins to the local Administrators of the servers or
clients.

OR

Add the SID history of the NT4 Domain Admins to the AD Domain Admins.
That
will not be possible with ADMT. The Clone Principal script from MS is
able
to do this. Don't forget to cleanup later on when ready!!!

OR

Use RUNAS

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<joe.beaulieu@xxxxxxxxxx> wrote in message
news:1150306084.452626.293340@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am finally doing the NT4 to AD dance. I have created full trust
relationships between the new Win2003 DC and the NT4 DC. The Win2003
DC is in Native mode.

After creating the trusts, I added the Domain Admins group from the AD
domain to the Administrators Global Group - no problem. I would now
expect any Domain Admin in the AD domain to be able to administer the
NT4 domain. Well - its not happening.

Logged in under the AD Administrator account, I cannot UNC to an NT4
machine without being prompted for credentials. Trying
\\machinename\C$ gets to the machine immediately but I am prompted for
credentials. This is screwing up the ADMT migration tool, among other
things. I have migrated my workstation, from which i do a ton of
admin, and I cannot get to many resources on the NT4 domain that I
need.

Any ideas?

Thanks

Joe




.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)
  • Re: Weird security problem in my WIn2K domain
    ... Keep in mind that enterprise admins group has no administrative powers on ... Another thing to try is to create a new account ... add that account to the local administrators ... enable auditing of account logon events in Domain Controller Security Policy ...
    (microsoft.public.windows.server.security)
  • Re: Super Admin Account
    ... "Super Admin" account? ... Enterprise Admins ... This group is automatically added to the Administrators group in every ... This group has complete control over all domain controllers and all ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Logon To Domain Controller
    ... That dose this administrators out to PCs have to do? ... PC Admins or what ever you want. ... >>> Server machine itself. ... >>logon locally on DCs. ...
    (microsoft.public.win2000.active_directory)
Loading