RE: ADMT Permissions
- From: jwd <jwd@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 13 Dec 2007 04:10:01 -0800
You need Domain Admin rights in the Source domain. If you run ADMT on a
server which is not a DC in the target domain then you can be more granular
with the permissions in the Target domain.
Granting the migration account Full Control of the OU to where you will
migrate the objects is sufficient. If you are migrating SIDs you need to
assign the permission Migrate SID History at the domain level of the Target
domain.
The account also needs to be a local Administrator of the server on which
you run ADMT. This is why if you run it on a DC it must be a Domain Admin.
To summarise these are the steps I take when setting up a migration.
- Create account in the Source domain and add to Domain Admins group in
Source.
- Grant this account Full Control of the target OU in the Target domain.
- Grant Migrate SID History permission to account in Target domain.
- Add account to local Administrators group of server running ADMT.
- Run ADMT in the context of this account.
Whether you need this type of granular control depends on your situation.
You could just add the account from the Source domain to the Administrators
group in the Target domain and do no more. But this is can be security
hazard as the domain admins from the Source domain can suddenly have domain
admin rights in the target domain. In a situation where you have say 20
domains migrating into one as I have seen this is a problem.
Best Regards
Joe Dunn MCSE
"markj" wrote:
Can you someone please define the exact permissions required to use the ADMT.
for migrating users,groups and computers between forests?
Thanks.
- Follow-Ups:
- RE: ADMT Permissions
- From: markj
- RE: ADMT Permissions
- Prev by Date: Re: Moving servers to a new domain - don't know where to start
- Next by Date: Re: RIS INSTALLATION
- Previous by thread: Re: Export AD to view user privileges
- Next by thread: RE: ADMT Permissions
- Index(es):
Relevant Pages
|
