Rick, thanks for the reply post. membership of these groups not the issue - i take your point though
it is more to do with the ability to translate the security of the resources which as i understand wont happen without an entry in the ADMT database - but thinking about it I don't need to do security translation as long as i populate sidhistory of the target domain admins / users group objects using alternative tools such as cloneprincipal ?? although that said this loses some of the "genericness" of a security translation i assume the manual "hack" of the sidhistory to be a supported operation ? as an aside i picked up from netiq.com a technote that suggests that it does support the migration of sidhistory for these well known objects - heres an extract - and by corollary thought that this would be supported under ADMT2 "The API used to migrate SID History for Well-Known objects will only migrate to a target domain object with the same RID. This has been implemented by Microsoft for security reasons. For example, you can only migrate the SID of the source domain's Well-Known Domain Admins group to the SID History of the target domain's Well-Known Domain Admins group. You could not apply it to any other group." GT On Fri, 6 Jun 2003 07:57:07 -0500, "Rick Kingslan" wrote: > > Graham, > > You cannot migrate the well known groups from one domain (or forest) to > another. The SIDS are universally the same. ADMT will attempt, however the > well-known already exists, and you cannot migrate it. > > Our solution was to take an inventory of who / what was member of the groups > (or included membership of) and recreate that via scripting, manual methods, > what have you. > > If someone else has a solution, great - I hope that they do for the sake of > your time in collecting the data. > > Otherwise, you do have a task - not monumental, but not small either. BTW, > our environment - 15k desktops, 25k users. Lots of groups. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Friday, June 06, 2003 7:44 AM > To: [EMAIL PROTECTED] > > Dear all, have posted quite recently with no feedback so hoping this time > round to get a bit more info, > > still looking at strategy for migration of the well known accounts - "Domain > Admins" / Domain Users on which a lot of domain security is based. > > thought this was where the Group mapping and merging wizard gave us some > help. > > using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the > "migrate group sids" option enabled - i assumed this would populate the > Sidhistory of the targetdomain group object with that of the source domain > sid and in doing so creating an entry in the ADMT database that will be read > by the security translation / user migration wizards. > > ditto for Domain Users > > However this ADMT process is failing with the following error codes; > > ERR2: 7085 > Replace failed rc=1371 > Cannot perform this operation on builtin accounts > > for me am i not right to say that the above groups are not in fact builtin > accounts but "well known accounts" ?? > > saw one post back that documented the use of a manual process > (cloneprincipal) to acheive the population of the sidhistroy but this will > not allow us to acheive the requirement of security translation > > any clues ?? > > GT > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
