RE: strange access denied in ADMT v3

From: v-xuwen@xxxxxxxxxxxxxxxxxxxx (Vincent Xu [MSFT])
Date: Tue, 20 Dec 2005 06:09:30 GMT

Hi,

As I said, Please add the account into local Administrators of the box
which you run ADMT.

Thanks.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>>Thread-Topic: strange access denied in ADMT v3
>>thread-index: AcYEfCJRKHCG7zPZRPGLyMH10rbegg==
>>X-WBNR-Posting-Host: 217.167.147.251
>>From: "=?Utf-8?B?Sm9lIFBhc3M=?=" <JoePass@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>References: <79FDA5EF-0205-4759-AB33-E884C4786126@xxxxxxxxxxxxx>
<Gqkf9Ev9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
<2D9E8228-F401-4555-9811-D8A724A0636A@xxxxxxxxxxxxx>
<pmdJCJW#FHA.3440@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: RE: strange access denied in ADMT v3
>>Date: Mon, 19 Dec 2005 01:11:02 -0800
>>Lines: 186
>>Message-ID: <9E6B4A9F-BA2E-4606-B651-0C67AFA3CD8F@xxxxxxxxxxxxx>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.windows.server.migration
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:21757
>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>
>>The account of old domain is member of admins of NT4 & dom admins of NT4
and
>>admins of 2K3. It cannot be part of dom admins on 2K3 because of the
group
>>scope.
>>
>>To come back on my original issue - access denied when moving user
accounts
>>with admin of source domain- I think I have found the source of the
problem.
>>The new domain is a child domain of a forest and there is a single DC
there.
>>It does not hold the global catalog role . If it holds the GC role, then
all
>>goes fine.
>>Is it something well known ? I don't want the DC to be GC +
infrastructure
>>master as the infrastructure master does not work when a GC is on it.
>>Any recommendations ?
>>
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hi,
>>>
>>> I was confused. The user account was unable to be a part of the domain
>>> admins group of the new domain or the domain admins group of the old
>>> domain? Why it also cannot be a part of local Administrators? Is there
any
>>> error message? Please understand, we have to add it into local
>>> Administrators group.
>>>
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: strange access denied in ADMT v3
>>> >>thread-index: AcX3KLLrH3kVimIMRqyDOn34UJ3mvg==
>>> >>X-WBNR-Posting-Host: 217.167.147.251
>>> >>From: "=?Utf-8?B?Sm9lIFBhc3M=?=" <JoePass@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>> >>References: <79FDA5EF-0205-4759-AB33-E884C4786126@xxxxxxxxxxxxx>
>>> <Gqkf9Ev9FHA.4000@xxxxxxxxxxxxxxxxxxxxx>
>>> >>Subject: RE: strange access denied in ADMT v3
>>> >>Date: Fri, 2 Dec 2005 02:11:02 -0800
>>> >>Lines: 113
>>> >>Message-ID: <2D9E8228-F401-4555-9811-D8A724A0636A@xxxxxxxxxxxxx>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >> charset="Utf-8"
>>> >>Content-Transfer-Encoding: 7bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.windows.server.migration
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> microsoft.public.windows.server.migration:21552
>>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
>>> >>
>>> >>Thanks for your response Vincent.
>>> >>Well I am using an account of old domain that is :
>>> >>-member of the administrators group of old domain
>>> >>-member of the domain admins group of old domain
>>> >>-member of the administrators group of new domain.
>>> >>But he cannot be part of the domain admins of the new domain( scope
is
>>> >>global ).
>>> >>The only specific thing is that the domain admins group of old domain
has
>>> >>been renamed.
>>> >>
>>> >>When I am using an account of new domain, I don't have the access
denied
>>> on
>>> >>admt. But I will have problems when I want to run the agent to
migrate
>>> the
>>> >>PCs since this account will not be part of the local admins. ( since
it
>>> >>cannot be part of the domain admins group of old domain ) .
>>> >>
>>> >>How can I proceed ?
>>> >>Thanks .
>>> >>
>>> >>
>>> >>"Vincent Xu [MSFT]" wrote:
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> Please make sure:
>>> >>>
>>> >>> The user account you logged on to run ADMT is added into:
>>> >>>
>>> >>> 1) Local Administrators group.
>>> >>> 2) Target Domain Admin group
>>> >>> 3) Source Domain Admin group.
>>> >>>
>>> >>> Hope it helps.
>>> >>>
>>> >>>
>>> >>> Best regards,
>>> >>>
>>> >>> Vincent Xu
>>> >>> Microsoft Online Partner Support
>>> >>>
>>> >>> Get Secure! - www.microsoft.com/security
>>> >>>
>>> >>> When responding to posts, please "Reply to Group" via your
newsreader
>>> so
>>> >>> that others may learn and benefit from your issue.
>>> >>>
>>> >>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> >>>
>>> >>>
>>> >>> --------------------
>>> >>> >>Thread-Topic: strange access denied in ADMT v3
>>> >>> >>thread-index: AcX2Z39GtKTb5NycSfKcHXW5TATKIA==
>>> >>> >>X-WBNR-Posting-Host: 217.167.147.251
>>> >>> >>From: "=?Utf-8?B?Sm9lIFBhc3M=?="
<JoePass@xxxxxxxxxxxxxxxxxxxxxxxxx>
>>> >>> >>Subject: strange access denied in ADMT v3
>>> >>> >>Date: Thu, 1 Dec 2005 03:08:02 -0800
>>> >>> >>Lines: 36
>>> >>> >>Message-ID: <79FDA5EF-0205-4759-AB33-E884C4786126@xxxxxxxxxxxxx>
>>> >>> >>MIME-Version: 1.0
>>> >>> >>Content-Type: text/plain;
>>> >>> >> charset="Utf-8"
>>> >>> >>Content-Transfer-Encoding: 7bit
>>> >>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>> >>Content-Class: urn:content-classes:message
>>> >>> >>Importance: normal
>>> >>> >>Priority: normal
>>> >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>> >>Newsgroups: microsoft.public.windows.server.migration
>>> >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>> >>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>> >>Xref: TK2MSFTNGXA02.phx.gbl
>>> >>> microsoft.public.windows.server.migration:21537
>>> >>> >>X-Tomcat-NG: microsoft.public.windows.server.migration
>>> >>> >>
>>> >>> >>I have been using ADMT v2 for a while with other migration
projects.
>>> >>> >>I have a strange access rights issue with v3:
>>> >>> >>Running it on the DC of the new domain with an account of old
domain
>>> that
>>> >>> is :
>>> >>> >>-part of the administrators group of the new domain
>>> >>> >>-and part of the domain admins group of the old domain
>>> >>> >>
>>> >>> >>I have following error:
>>> >>> >>
>>> >>> >>Source Domain
>>> >>> >> Name: SOURCE
>>> >>> >> DC: PDC
>>> >>> >> OS: Windows NT 4.0
>>> >>> >>Target Domain
>>> >>> >> Name: dest.local (DEST)
>>> >>> >> DC: dcdest.dest.local (DCDEST)
>>> >>> >> OS: Windows Server 2003 5.2 (3790) Service Pack 1
>>> >>> >> OU: LDAP://dest.local/OU=Migration,DC=dest,DC=local
>>> >>> >>Intra-Forest: No
>>> >>> >>Translate Option: Add
>>> >>> >>Translate Files: Yes
>>> >>> >>Translate Local Groups: Yes
>>> >>> >>Translate Printers: Yes
>>> >>> >>Translate Registry: Yes
>>> >>> >>Translate Rights: Yes
>>> >>> >>Translate Shares: Yes
>>> >>> >>Translate User Profiles: Yes
>>> >>> >>Conflict Option: Ignore
>>> >>> >>Perform Pre-check Only: No
>>> >>> >>
>>> >>> >>[Object Migration Section]
>>> >>> >>2005-11-25 17:50:15 Starting Account Replicator.
>>> >>> >>2005-11-25 17:50:18 ERR3:7585 The account replicator is unable to
>>> >>> continue.
>>> >>> >> Access is denied.
>>> >>> >>2005-11-25 17:50:18 Operation completed.
>>> >>> >>
>>> >>> >>Any ideas ? I'm stuck.
>>> >>> >>
>>> >>>
>>> >>>
>>> >>
>>>
>>>
>>

.

Follow-Ups:
- RE: strange access denied in ADMT v3
  - From: Joe Pass

References:
- RE: strange access denied in ADMT v3
  - From: Vincent Xu [MSFT]
- RE: strange access denied in ADMT v3
  - From: Joe Pass
- RE: strange access denied in ADMT v3
  - From: Vincent Xu [MSFT]
- RE: strange access denied in ADMT v3
  - From: Joe Pass

Prev by Date: Re: Migrate NT4 PDC to existing w2k3 domain member server?
Next by Date: Re: Migrate NT4 PDC to existing w2k3 domain member server?
Previous by thread: RE: strange access denied in ADMT v3
Next by thread: RE: strange access denied in ADMT v3
Index(es):
- Date
- Thread

Relevant Pages

Re: Problem pushing Advanced client to WinXP SP1
... %machinename%\administrator as the client push installation account. ... > pusthinstallation account, and the domain admins group. ... >> made a member of the local Administrators group on each PC. ...
(microsoft.public.sms.setup)
Re: Administrators Group in Local Users and Groups
... Anyone who gives non-domain admins the ability to log on interactively or modify system files/services on a DC is asking to be spanked at some point in the future. ... I imagine adding themselves to the domain admins group would require a trick similar to the NT4 days where you could make cmd.exe launch as the screensaver (which runs under the local system account), then within the newly opened CMD prompt window, add your self to the local administrators group using the net user command. ...
(microsoft.public.windows.server.active_directory)
Re: Cannot join XP Prof to Domain
... That's weird, that option shouldn't be greyed out for admins, are you sure ... that the account that you're using is member of local administrators? ... I am unable to join to domain as the "Member of: ...
(microsoft.public.windows.server.active_directory)
Re: Problem managing accounts in protected groups
... For you administrator accounts create an own OU directly under the domain name and place there the domain admin accounts without any restrictions through policies or whatever. ... And create for them a normal domain user account for the daily work with normal restrictions like any other user. ... If now the account under the Administrators OU is locked another one from that OU can easily unlock them without any problem, because they all are domain admins in that OU. ... heard about that someone will give more security permissions to users ...
(microsoft.public.windows.server.active_directory)
Re: Login as local admin
... schema admins, enterprise admins and the other groups mentioned, but the ... installing SBS SP1. ... So if i basically ensure that my domain administrator account is a member ... The article does not reference "local" administrator (as far as I ...
(microsoft.public.windows.server.sbs)