Permissions Issue During NT4 to AD migration

  • Thread starter Thread starter joe.beaulieu
  • Start date Start date
J

joe.beaulieu

Hi,

I am finally doing the NT4 to AD dance. I have created full trust
relationships between the new Win2003 DC and the NT4 DC. The Win2003
DC is in Native mode.

After creating the trusts, I added the Domain Admins group from the AD
domain to the Administrators Global Group - no problem. I would now
expect any Domain Admin in the AD domain to be able to administer the
NT4 domain. Well - its not happening.

Logged in under the AD Administrator account, I cannot UNC to an NT4
machine without being prompted for credentials. Trying
\\machinename\C$ gets to the machine immediately but I am prompted for
credentials. This is screwing up the ADMT migration tool, among other
things. I have migrated my workstation, from which i do a ton of
admin, and I cannot get to many resources on the NT4 domain that I
need.

Any ideas?

Thanks

Joe
 
Adding the AD Domain Admins to the NT4 Administrators of the
domain does not give you permissions on member servers or clients. For that
you need to
add the AD Domain Admins to the local Administrators of the servers or
clients.

OR

Add the SID history of the NT4 Domain Admins to the AD Domain Admins. That
will not be possible with ADMT. The Clone Principal script from MS is able
to do this. Don't forget to cleanup later on when ready!!!

OR

Use RUNAS

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Thanks Jorge - I think you also replied on my technet posting of the
same topic. Thanks for your time.

I don't understand why if the AD domain admins are members of the
global group Administrators on the NT4 domain they would not be
included in the local account. When you join the domain the Domain
Admins local group gets added to the local Administrators group on the
workstation.

The ADMT will not run without me implicitly adding the AD Domain Admins
group to the local machine, as you suggested. This is a workaround
that I have used, but I have better than 500 machines to address.
There is no mention anywhere in the ADMT setup instructions about this
need. It doesn't seem to make sense.
 
I don't understand why if the AD domain admins are members of the
global group Administrators on the NT4 domain they would not be
included in the local account

that is because it is NOT a global group.... administrators is
LOCAL....domain admins is GLOBAL

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
 
Back
Top