RE: What permissions are needed to migrate SID?
From: Frances [MSFT] (v-franhe_at_microsoft.com)
Date: 02/14/05
- Next message: Frances [MSFT]: "Re: Need Recommendations on NT4 > WS2003 Migration"
- Previous message: Jeff Qiu [MSFT]: "RE: Temporary machine to perform first NT4 --> Win2k3 migration"
- In reply to: Magnus Nilsson: "What permissions are needed to migrate SID?"
- Next in thread: Magnus Nilsson: "Re: What permissions are needed to migrate SID?"
- Reply: Magnus Nilsson: "Re: What permissions are needed to migrate SID?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 14 Feb 2005 08:59:51 GMT
Hello,
Good to hear from you.
According to your message, I understand that you want to perform a
migration from win2k3 domain to win2k3 domain with SIDHistory.
Generally speaking, migrations that involve the manipulation of SIDHistory
may require Administrator rights as follows:
1.You must have administrator rights on the machine running ADMT.
2.For an interforest migration, the account used to run ADMT must have
Administrator rights in the source domain if SIDHistory or password
migration is performed. The account must also have enough permissions in
the target domain to complete the required tasks, such as being able to
create computer accounts in the target domain and organizational unit.
Note: Windows Server 2003 allows delegation of SIDHistory migration by
granting the extended right, MigrateSIDs, to a user or group. The account
must be a member of the local Administrators group on each computer that
you migrate or translate security. The systems to be migrated must have the
administrative shares C$ and ADMIN$.
For more information, please refer to the articles below.
The article also applies to your scenario:
Q326480: How to Use Active Directory Migration Tool Version 2 to Migrate
from Windows 2000 to Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;326480
About the details of the user right delegation, please refer to the
following article:
How To Create an Organizational Unit and Delegate Control with Windows
Server 2003
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/secmod1
30.mspx
In a word, the account you use to run ADMT on the target DC need to be:
1. A member of domain admin in the source domain,
2. a member of the target DC built-in administers
More information are listed below for your reference.
Initializing ADMT
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbg_rent_dsqn.asp
Configuring the Source and Target Domains to Migrate SID History
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dssbg_rent_tyon.asp
Hope this helps. If you have any further questions, don't hesitate to get
in touch!
Best regards,
Frances He
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Frances [MSFT]: "Re: Need Recommendations on NT4 > WS2003 Migration"
- Previous message: Jeff Qiu [MSFT]: "RE: Temporary machine to perform first NT4 --> Win2k3 migration"
- In reply to: Magnus Nilsson: "What permissions are needed to migrate SID?"
- Next in thread: Magnus Nilsson: "Re: What permissions are needed to migrate SID?"
- Reply: Magnus Nilsson: "Re: What permissions are needed to migrate SID?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
