Stuart, i share your views. i have assmued this is going to be a problem general to NT4 workstation migration - based on first two tested - both failed with identical message.
the number of NT4 workstations still in production means a manual migration is not the most practical option. in the course of resolving this i have observed that the contents of the ADMT2 distribution are about 8 months more recent than the production ADMT2 programs that were "in good faith !!" from the .NET RC1 media, i am assuming the upgrade to be a supported process and will just see if this issue is not specific to ADMT version - i have also noted from netiq.com that they had to patch migration software to resolve similar issues of computer migration migration - do you have any issues specific to versions of ADMT ?? if it does prove to be issues of the allowedrunlist "whacking me" then the question remains as to what exe's need to be added to support the ADMT operation thanks for your support GT ----- Original Message ----- From: "Fuller, Stuart" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 11, 2003 6:30 PM Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > G, > > Let me clarify what I stated earlier... > > ADMT needs to be able to resolve the name of the workstation (e.g. find it > on the network) and be able to get to the admin$ share on the workstation. > When you run ADMT workstation migration, you are running in the security > context of the user logged into the ADMT console (unless you use "runas"). > This user needs to have administrator privileges on the target workstation. > You can test this very simply by mapping a drive to the target workstation's > admin$ share. If that works then you know that the ADMT user does have > admin rights and the share is working. We have found that this > cheese-o-matic test is the best indication that the ADMT workstation > migration will run correctly. > > However from your other posts, I don't think normal ADMT security is your > issue. It looks like the "allowed list" of applications from the NT Policy > is whacking you. > > In any event, the whole point of the ADMT is to automate the workstation > migration. If this is a problem for only a couple of machines, you could > just manually migrate them. Join them directly to the new AD domain and > simply copy over the user profile. You may have to work on fixing printers > and resetting some file rights but usually on a user workstation that is > pretty minimal. > > When we were doing our migration, we ran into about one out every two > hundred workstations that had some type of underlying problem where ADMT > would bonk. We took those as one-offs and figured it was easier to spend 10 > minutes manually migrating the workstation then spending hours trying to > figure out why ADMT was failing. On the ones that we did troubleshoot, it > was never ADMT fault, it something whacked with the workstation OS, IP > stack, NIC, or even <<shudder>> the Novell client. > > Stuart Fuller > Active Directory > State of Montana > > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Friday, July 11, 2003 8:58 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > Rick, thanks your time on this issue. > > my view is that we failing at the installation of the agent - as i read it > this takes place using the credentials of the logged in user at the ADMT > console ?? > > GT > > > ----- Original Message ----- > From: "Rick Kingslan" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 11, 2003 2:05 PM > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > Graham - > > > > I have no documentation of an 'allowedrunlist' policy or setting in NT > > 4.0 (not saying that it doesn't exist - just in the limited time I > > have this > AM > > I can't find anything). But, given that it does exist, yes - that's > > what I'm saying. If the policy does truly enforce WHO can run WHAT - > > then this could be an issue. > > > > With that being said - this agent (ADMT), in my experience, runs at > > the LocalSystem context, and therefore should not be subject to the > > rules of a ruleset applied by system policy, AFAIK. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > > Sent: Friday, July 11, 2003 5:20 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > > > Rick, thanks for post reply. > > > > is your inference then that it is conceivable that a restrictive > > allowedrunlist "tattooed" into the registry is able to prevent > > whatever application it is to run on the NT4 workstation. ??? > > > > GT > > > > > > ----- Original Message ----- > > From: "Rick Kingslan" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, July 10, 2003 1:13 AM > > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > Graham, > > > > > > System Policy on NT 4.0 is truly tatooed to the system. If you turn > > > it > > off > > > and back on, it's still there - unless manually removed or the > > > policy is backed out via the de-application of said policy. > > > > > > And, sadly - I can't tell you right now what needs to run (yes the > > > Agent, damn it - but what IS the Agent?).... > > > > > > Rick Kingslan MCSE, MCSA, MCT > > > Microsoft MVP - Active Directory > > > Associate Expert > > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Graham > > > Turner > > > Sent: Wednesday, July 09, 2003 4:25 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > but then thinking about it no - when i failed on the first nt4 host > > thought > > > it was down to that computer so tried another one straight away - > > > same access denied result > > > > > > have spoken with the developers of the nt4 build - there is a > > > system > > policy > > > with an allowedrunlist policy - that was that even while logged off > > > this registry value is tattooed into the computer registry ???? > > > > > > if this is possible which i must confess to not being sure on then > > > need to work out what actually needs to be allowed to run for the > > > admt dispatch agent to execute > > > > > > clutching at straws a bit !!! > > > > > > GT > > > > > > > > > ----- Original Message ----- > > > From: "Wilkinson, Stephen" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, July 09, 2003 2:01 PM > > > Subject: RE: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > > > I think Larry's first response could be it Graham. > > > > > > > > We saw exactly this in our testing with the Quest Migrator product. > > > > You must make sure there is no computer account with the same name > > > > already in the AD - hiding in an OU you least expect it! (ours > > > > got there during testing by manually moving test boxes in and out > > > > of the ad domain and forgetting to remove the computer accounts. > > > > > > > > > > > > Stephen Wilkinson > > > > > > > > Tel +44(0)207 4759276 > > > > Mobile +44(0)7973 143970 > > > > E-Mail: [EMAIL PROTECTED] > > > > > > > > > > > > -----Original Message----- > > > > From: Duncan, Larry [mailto:[EMAIL PROTECTED] > > > > Sent: 08 July 2003 21:45 > > > > To: '[EMAIL PROTECTED]' > > > > > > > > Has the "Everyone" group been added to the "Pre-Windows 2000 > > > > Compatible Access" group in the new domain? > > > > > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > Sent: Tuesday, July 08, 2003 3:24 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] admt 2.0 - nt4 computer migration > > > > > > > > Am attempting the migration of computer from NT4 source domain to > > > > Windows 2000 target domain. > > > > > > > > the migration environment is working fine with windows 2000 > > > > professional clients > > > > > > > > have got issues with the migration of an NT4 workstation > > > > > > > > the extract from dispatch.log on the admt server is attached from > > > > which i > > > am > > > > hoping to get a few clues as to the "access denied" > > > > > > > > have checked the "obvious" issues such as sourcedom\domain admins > > > > being a member of the local administrators group and the computer > > > > migration being run while logged an as a member of that > > > > sourcedom\domain admins group > > > > > > > > Thanks > > > > > > > > GT > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > > > ------------------------------------------------------------------ > > > > -- > > > > -- If you have received this e-mail in error or wish to read our > > > > e-mail disclaimer statement and monitoring policy, please refer to > > > > http://www.drkw.com/disc/email/ or contact the sender. > > > > ------------------------------------------------------------------ > > > > -- > > > > -- > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
