Results 1 to 5 of 5

Thread: How to assign Domain admin credential to User from trusted domain

  1. #1
    Tom Guest

    How to assign Domain admin credential to User from trusted domain

    I am using the ADMT to migrate users from a Windows 2003 domain to a Windows
    2008 domain in a different forest. I need to migrate the SID history with the
    users. The technet article states the following
    "Delegated Read all user information permission on the user OU or group OU
    and domain administrator credential"
    My problem is that using AD Users & Computers in the source domain there is
    no option to add my migration account from the target domain to the Domain
    Admins group in the source domain. The target trusted domain does not show up
    as an available option to add accounts from. (There is a two way trust setup
    between both domains and it is working)
    The ADMT wizzard will not allow me to migrate the SID history without this.
    Is there some way around this?
    Thanks


  2. #2
    Meinolf Weber [MVP-DS] Guest

    Re: How to assign Domain admin credential to User from trusted domain

    Hello tom,

    Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
    Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
    Admins

    Best regards

    Meinolf Weber
    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
    ** Please do NOT email, only reply to Newsgroups
    ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


    > Delegated Read all user information permission on the user OU or group
    > OU
    >




  3. #3
    Paul Bergson [MVP-DS] Guest

    Re: How to assign Domain admin credential to User from trusted domain

    If you can't see any users or groups from the source domain it sounds like
    the trust isn't setup/working properly. Can you see users/groups from any
    server within the source domain. If you can see users and groups but not be
    able to place users in a particular group it is probably just because the
    group you are intending to use can't contain members from another
    domain/forest.

    You need to be aware of the group scope:
    http://technet.microsoft.com/en-us/l...92(WS.10).aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    "Tom" <Tom@discussions.microsoft.com> wrote in message
    news:506DB6A9-DB8E-469E-89B9-7E6DC5172A6B@microsoft.com...
    >I am using the ADMT to migrate users from a Windows 2003 domain to a
    >Windows
    > 2008 domain in a different forest. I need to migrate the SID history with
    > the
    > users. The technet article states the following
    > "Delegated Read all user information permission on the user OU or group OU
    > and domain administrator credential"
    > My problem is that using AD Users & Computers in the source domain there
    > is
    > no option to add my migration account from the target domain to the Domain
    > Admins group in the source domain. The target trusted domain does not show
    > up
    > as an available option to add accounts from. (There is a two way trust
    > setup
    > between both domains and it is working)
    > The ADMT wizzard will not allow me to migrate the SID history without
    > this.
    > Is there some way around this?
    > Thanks
    >




  4. #4
    Tom Guest

    Re: How to assign Domain admin credential to User from trusted dom

    Hi Meinolf,
    Eventhough both domains trust eachother domain2 is not an available option
    when I attempt to add an account or group from domain1. Universal and Global
    groups do not appear to accept accounts from a trusted domain, they also do
    not accept accounts grom Domain Local Security groups in the same domain.
    How do I give an account from a trusted domain admin priviliges on a
    trusting domain?


    "Meinolf Weber [MVP-DS]" wrote:

    > Hello tom,
    >
    > Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
    > Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
    > Admins
    >
    > Best regards
    >
    > Meinolf Weber
    > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    > no rights.
    > ** Please do NOT email, only reply to Newsgroups
    > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    >
    >
    > > Delegated Read all user information permission on the user OU or group
    > > OU
    > >

    >
    >
    >


  5. #5
    Tom Guest

    Re: How to assign Domain admin credential to User from trusted dom

    Just realized the group I need to add the other domain admin to is the
    Builtin/administrators group

    "Tom" wrote:

    > Hi Meinolf,
    > Eventhough both domains trust eachother domain2 is not an available option
    > when I attempt to add an account or group from domain1. Universal and Global
    > groups do not appear to accept accounts from a trusted domain, they also do
    > not accept accounts grom Domain Local Security groups in the same domain.
    > How do I give an account from a trusted domain admin priviliges on a
    > trusting domain?
    >
    >
    > "Meinolf Weber [MVP-DS]" wrote:
    >
    > > Hello tom,
    > >
    > > Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
    > > Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
    > > Admins
    > >
    > > Best regards
    > >
    > > Meinolf Weber
    > > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    > > no rights.
    > > ** Please do NOT email, only reply to Newsgroups
    > > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
    > >
    > >
    > > > Delegated Read all user information permission on the user OU or group
    > > > OU
    > > >

    > >
    > >
    > >


Similar Threads

  1. Domain Admin cannot create user account
    By ChrisMo in forum Windows Server Help
    Replies: 1
    Last Post: 10-04-2012, 12:03 PM
  2. Replies: 5
    Last Post: 24-08-2010, 03:12 AM
  3. How to make a VPN domain user permanent local admin
    By Hassing in forum Operating Systems
    Replies: 2
    Last Post: 05-05-2010, 05:40 PM
  4. Replies: 1
    Last Post: 19-06-2008, 01:58 AM
  5. Making a user Local Admin on domain computers
    By Niklas Ramstedt in forum Windows Server Help
    Replies: 1
    Last Post: 29-04-2008, 02:41 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,640,296.64745 seconds with 17 queries