Re: What permissions are needed to migrate SID?

From: Frances [MSFT] (v-franhe_at_microsoft.com)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 05:30:56 GMT

Hello Magnus,

Yes, your understanding is right.

The user running ADMT must have Domain Admin rights in the source domain,
and delegated rights in the target domain to complete certain tasks.
Meanwhile, he must have administrator rights on the machine running ADMT.
It is a best practice to run ADMT in a DC of the target domain and make the
user the built-in Admin in the DC.

As for your suggestion, yes, it is really good to delegate permissions for
such tasks as SID and password migration. I have forwarded your feedback to
the appropriate folks to catch their immediate attention. Maybe we can add
some features in the future versions of ADMT. Thanks for your suggestion.

Below is the content I have emailed to MSWISH@microsoft.com
<mailto:MSWISH@microsoft.com>

===========*******************==============
MSWISH,

One of my customer suggests that it would be best to delegate permissions
for such tasks as SID and password migration in the future versions of
ADMT. Because in some migration scenario concerning large organizations, it
is very restrictive to assign Domain Admins permissions. However, the
current ADMTv2 requires Domain Admin rights in the source domain.

Please take consideration of his suggestion. Thanks!

===========*******************==============

If you have any further questions, don't hesitate to get in touch!

Best regards,

Frances He

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Having low level tech add Systems to the Domain
    ... Currently I have granted them Domain Admin rights. ... How can I remove them from the Domain admin group and yet still delegate ...
    (microsoft.public.windows.server.active_directory)
  • RE: Does ADMT tool only work under Domain Admin, but not OU Admin leve
    ... o Administrator rights on each computer that you migrate. ... it is not required to finish the ADMT ... account as member of Administrators group. ... Does ADMT tool only work under Domain Admin, ...
    (microsoft.public.windows.server.migration)
  • Re: Service accounts best practices
    ... guidance on granting admin accounts. ... >> The only people who should have domain admin rights are the exact people ... >> doing domain admin work and it should be a very small group. ... >>>>Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.win2000.security)
  • Re: Service accounts best practices
    ... > The only people who should have domain admin rights are the exact people ... > domain admin work and it should be a very small group. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... >>>>Can someone point me to a guide to securing service accounts? ...
    (microsoft.public.win2000.security)
  • RE: Does ADMT tool only work under Domain Admin, but not OU Admin
    ... ADMT does not have copy feature. ... It can perform migration with permission. ... Does ADMT tool only work under Domain Admin, ...
    (microsoft.public.windows.server.migration)