Can NT built-in groups like Domain Admins or Domain Users
be migrated to W2K AD?

If not, please advise how can you migrate these groups?


Keith

In article <1c5e801c452cc$3d148ee0$(E-Mail Removed)>,
(E-Mail Removed) says...
>
> Can NT built-in groups like Domain Admins or Domain Users
> be migrated to W2K AD?
>
> If not, please advise how can you migrate these groups?
>
>
> Keith
>
Hi Keith,
No, you can't migrate built-in and well-known security principals. Well-
known (built-in) groups like Administrators always have the same SID.
"Predefined" groups like Domain Admins have the same RID but a
different domain part of the SID,i.e. different SID as a whole. The
Active Directory Migration Tool (ADMT) won't migrate built-in or
predefined groups and won't fix membership for these groups so if you
migrate a user that is a member of Domain Admins in the source domain he
won't be such in the target. As always, all migrated users become
automatically members of Domain Users.

The resolution would be to manually add the respective users to these
groups (if you need to) so make sure you document these memberships. For
such users to maintain access to resources you'll need to translate
security with the Security Translation Wizard and a SID mapping file.

I would suggest that you read through (URLs wrap):

Windows 2000 Domain Migration Cookbook
http://www.microsoft.com/technet/pro...rv/deploy/cook
book/cookintr.asp

Domain Migration Cookbook (Chapter 9: Migration of a Windows NT 4.0
Account Domain to Active Directory)
http://www.microsoft.com/technet/pro...rv/deploy/cook
book/cookchp9.mspx

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

"True knowledge exists in knowing that you know nothing."
Socrates

Marin,

Thank you very much for your invaluable help.

Keith.
>-----Original Message-----
>In article <1c5e801c452cc$3d148ee0$(E-Mail Removed)>,
>(E-Mail Removed) says...
>>
>> Can NT built-in groups like Domain Admins or Domain
Users
>> be migrated to W2K AD?
>>
>> If not, please advise how can you migrate these groups?
>>
>>
>> Keith
>>
>Hi Keith,
>No, you can't migrate built-in and well-known security
principals. Well-
>known (built-in) groups like Administrators always have
the same SID.
>"Predefined" groups like Domain Admins have the same RID
but a
>different domain part of the SID,i.e. different SID as a
whole. The
>Active Directory Migration Tool (ADMT) won't migrate
built-in or
>predefined groups and won't fix membership for these
groups so if you
>migrate a user that is a member of Domain Admins in the
source domain he
>won't be such in the target. As always, all migrated
users become
>automatically members of Domain Users.
>
>The resolution would be to manually add the respective
users to these
>groups (if you need to) so make sure you document these
memberships. For
>such users to maintain access to resources you'll need
to translate
>security with the Security Translation Wizard and a SID
mapping file.
>
>I would suggest that you read through (URLs wrap):
>
>Windows 2000 Domain Migration Cookbook
>http://www.microsoft.com/technet/pro...l/windows2000s
erv/deploy/cook
>book/cookintr.asp
>
>Domain Migration Cookbook (Chapter 9: Migration of a
Windows NT 4.0
>Account Domain to Active Directory)
>http://www.microsoft.com/technet/pro...l/windows2000s
erv/deploy/cook
>book/cookchp9.mspx
>
>HTH
>--
>Cheers,
> Marin Marinov
> MCT, MCSE 2003/2000/NT4.0,
> MCSE:Security 2003/2000, MCP+I
>-
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>
>"True knowledge exists in knowing that you know nothing."
>Socrates
>.
>