Can NT built-in groups like Domain Admins or Domain Users
be migrated to W2K AD?
If not, please advise how can you migrate these groups?
Keith
Hi Keith,
No, you can't migrate built-in and well-known security principals. Well-
known (built-in) groups like Administrators always have the same SID.
"Predefined" groups like Domain Admins have the same RID but a
different domain part of the SID,i.e. different SID as a whole. The
Active Directory Migration Tool (ADMT) won't migrate built-in or
predefined groups and won't fix membership for these groups so if you
migrate a user that is a member of Domain Admins in the source domain he
won't be such in the target. As always, all migrated users become
automatically members of Domain Users.
The resolution would be to manually add the respective users to these
groups (if you need to) so make sure you document these memberships. For
such users to maintain access to resources you'll need to translate
security with the Security Translation Wizard and a SID mapping file.
I would suggest that you read through (URLs wrap):
Windows 2000 Domain Migration Cookbook
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cook
book/cookintr.asp
Domain Migration Cookbook (Chapter 9: Migration of a Windows NT 4.0
Account Domain to Active Directory)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/cook
book/cookchp9.mspx
HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
"True knowledge exists in knowing that you know nothing."
Socrates
