How to assign Domain admin credential to User from trusted domain

I am using the ADMT to migrate users from a Windows 2003 domain to a Windows
2008 domain in a different forest. I need to migrate the SID history with the
users. The technet article states the following
"Delegated Read all user information permission on the user OU or group OU
and domain administrator credential"
My problem is that using AD Users & Computers in the source domain there is
no option to add my migration account from the target domain to the Domain
Admins group in the source domain. The target trusted domain does not show up
as an available option to add accounts from. (There is a two way trust setup
between both domains and it is working)
The ADMT wizzard will not allow me to migrate the SID history without this.
Is there some way around this?
Thanks

Hello tom,

Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
Admins

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Delegated Read all user information permission on the user OU or group
> OU
>

If you can't see any users or groups from the source domain it sounds like
the trust isn't setup/working properly. Can you see users/groups from any
server within the source domain. If you can see users and groups but not be
able to place users in a particular group it is probably just because the
group you are intending to use can't contain members from another
domain/forest.

You need to be aware of the group scope:
http://technet.microsoft.com/en-us/l...92(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Tom" <Tom@discussions.microsoft.com> wrote in message
news:506DB6A9-DB8E-469E-89B9-7E6DC5172A6B@microsoft.com...
>I am using the ADMT to migrate users from a Windows 2003 domain to a
>Windows
> 2008 domain in a different forest. I need to migrate the SID history with
> the
> users. The technet article states the following
> "Delegated Read all user information permission on the user OU or group OU
> and domain administrator credential"
> My problem is that using AD Users & Computers in the source domain there
> is
> no option to add my migration account from the target domain to the Domain
> Admins group in the source domain. The target trusted domain does not show
> up
> as an available option to add accounts from. (There is a two way trust
> setup
> between both domains and it is working)
> The ADMT wizzard will not allow me to migrate the SID history without
> this.
> Is there some way around this?
> Thanks
>

Hi Meinolf,
Eventhough both domains trust eachother domain2 is not an available option
when I attempt to add an account or group from domain1. Universal and Global
groups do not appear to accept accounts from a trusted domain, they also do
not accept accounts grom Domain Local Security groups in the same domain.
How do I give an account from a trusted domain admin priviliges on a
trusting domain?


"Meinolf Weber [MVP-DS]" wrote:

> Hello tom,
>
> Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
> Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
> Admins
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Delegated Read all user information permission on the user OU or group
> > OU
> >
>
>
>

Just realized the group I need to add the other domain admin to is the
Builtin/administrators group

"Tom" wrote:

> Hi Meinolf,
> Eventhough both domains trust eachother domain2 is not an available option
> when I attempt to add an account or group from domain1. Universal and Global
> groups do not appear to accept accounts from a trusted domain, they also do
> not accept accounts grom Domain Local Security groups in the same domain.
> How do I give an account from a trusted domain admin priviliges on a
> trusting domain?
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello tom,
> >
> > Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
> > Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
> > Admins
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > Delegated Read all user information permission on the user OU or group
> > > OU
> > >
> >
> >
> >