if you have modified the default security settings and user rights you might wanna have a look at the following to determine what the impact is: MS-KBQ823659_Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Mylo Sent: Fri 12/16/2005 9:09 PM To: [email protected] Subject: Re: [ActiveDir] Interforest Password Migration One other thing beyond what Jorge mentioned.... if you've Enabled Disable [oxymoron :-)] anonymous SAM enumeration via Group Policy you're also likely to end up with problems accessing resoures. Regards, Mylo Almeida Pinto, Jorge de wrote: > No. That domain wide authentication thing you mention is called > selective authentication. Although the selection you made is OK, that > is not what you need in this case to get admin permissions on the > source domain. To read more about selective authentication see: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx > > Another thing... > On the outgoing trust (source --> target) sidfiltering is enabled by > default if the trusts was created on a W2KSP4 DC or higher (it is > disabled by default if the trust was created on a W2KSP3 DC or earlier > For more info see: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/31915de7-ff58-4f26-a8ec-450ffca75912.mspx > > If you want to use sidhistory then sid filtering will have impact on > that. Disable it for the moment you use sidhistory if it is enabled > > To use an account that has full admin rights on both source and target > environment (to migrate users, groups, computers, etc.) you can: > (1) add target domain admins to source domain administrators and add > SID of source domain admins to sidhistory of target domain admins > (2) Create a domain local group in the source domain. With restricted > groups add that domain local group to the local administrators group > of all computers where you need admin permissions. Add target domain > admins to source domain administrators and the previously created > domain local group > > NOTE: to be able to created domain local groups in the source env. > that source domain must at least have windows 2000 native > > To use an account that has full admin rights on both source and target > environment (to migrate only users and groups and passwords) you can: > (1) add target domain admins to source domain administrators > > for the rest just follow: http://support.microsoft.com/kb/326480 > > Cheers, > Jorge > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Lloyd Williams > *Sent:* Friday, December 16, 2005 16:50 > *To:* [email protected] > *Subject:* RE: [ActiveDir] Interforest Password Migration > > Thanks for the reply. Yes this is the document that I am using as my > guide to do this. > > The only part I am not sure about is the part that says the "users > must have administrator rights in both domains." > As far as I can see it is not possible to to add the Domain Admin from > one domain to the Domain Administrators group in the other domain. > If you go into Active Directory Users and Computers to add accounts to > Domain Admins the only location you are given is that domain. > So I am assuming that the necessary right come from creating the trust > relationship. When I created this I used the Domain wide > authentication option. > Can I assume that this gives Domain Admins in Domain1 appropriate > rights to Domain 2 > > Thanks > Lloyd > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Almeida > Pinto, Jorge de > *Sent:* Friday, December 16, 2005 4:40 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Interforest Password Migration > > Is everything configured as mentioned in > http://support.microsoft.com/kb/326480 > > Cheers, > Jorge > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Lloyd Williams > *Sent:* Friday, December 16, 2005 01:58 > *To:* [email protected] > *Subject:* [ActiveDir] Interforest Password Migration > > I am using ADMT v3.0 to migrate users from one 2000/2003 forest to > another 2003 forest. I have no trouble migrating users however I > cannot migrate passwords. I have the password migration service > installed on the PDC of the source domain. I have generated a key in > the target domain, then used it in the source domain during the > installation of the Password Migration Service. When I use ADMT to > migrate the password I get "unable to establish a session with the > password export server. Access is denied" > I have the password export service on the source machine running as > the administrator on the target machine. > The trusts seem to verify OK, anyone have any idea? > > Thanks > Lloyd > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > >------------------------------------------------------------------------ > >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.14.1/204 - Release Date: 15/12/2005 > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
