You are doing all this from a central point (e.g. from the PDC), so you only need it in that central location. You don't need to copy it to any target system. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Chandra Burra Sent: Wed 1/11/2006 5:49 PM To: [email protected] Subject: RE: [ActiveDir] NT and AD Permissions You are the savior Deji!! i didn't knew that cusrmgr.exe can be used for adding user...i knew it as only used for password reset... But one last question...does the cusrmgr need to be local to all servers or can i call it from my laptop?? Regards, Chandra -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 7:59 PM To: [email protected] Subject: RE: [ActiveDir] NT and AD Permissions Me, I just add the appropriate group/user (from the target) to the local administrators' group of every computer (in the source) by script. on the PDC: net view /Domain:NT4Domain >c:\computer-list.txt then, in a batch file: FOR /F %%i IN (computer-list.txt) DO echo Working on %%i...& set v1=%%i& call :DoIt :DoIt cusrmgr -m %v1% -alg administrators add user -u 2K3Domain\User-or-Group-Name Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Wed 1/11/2006 2:42 PM To: [email protected] Subject: RE: [ActiveDir] NT and AD Permissions migrating the account with SIDhistory won't help you here => it's not the User's (and his respective NT4 SID) that is added to the local admin group on all member servers and clients by default - it's the SID of the NT4 Domain Admins group itself. When migrating the user with SIDhistory, you're not adding the SID of this group to the user. One option (which I certainly don't like - just trying to explain for you) is to merge the Domain Admins group from the NT4 Domain into the Domain Admins group of AD incl. SID history. But I'm not a friend of doing this - I much preferr to add an appropriate AD group to the respective servers' local admin group (and clients if required). This must not necessarily be the AD Domain Admins group => it's your chance to get some structure in the permission model on your servers...! The domain admin will be added anyways, once you migrate the machines acrross to AD. But if everything has to be done quickly (as is often the case), you can also use ADMT to add the Domain Admins to all your servers for you: to do so, create an appropriate SID mapping file containing just the NT4 Domain Admins group + SID and AD Domain Admins group + SID and choose to perform a security translation in ADD mode on all your servers in the source domain. This will add the AD Domain Admins to the local admin group on the target machines and give them the same permissions on files/shares/registry etc. (if there are any specific ones set for the NT4 domain admins group). /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra Sent: Mittwoch, 11. Januar 2006 20:59 To: [email protected] Subject: Re: [ActiveDir] NT and AD Permissions Jorge and Glen, Thanks for the quick update... I will breif here the steps i have taken... 1. This is a domain admin account which is being used from last 2years in NT 2. I have migrated this using the Bindview BV Admin with SID 3. I have taken the option to cancell the migration if the SID fails...so, the SID is in the new domain 4. Added this account to the Domain admin group manually as we wont move the group from NT 5. The account in the source domain is still active. Still no luck.,...not sure if this is the only tricky thing.....i have another account which i can test...do you want me to do something different?? Regards Chandra On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: yes... that is a solution (don't forget to clean it when not needed anymore!). however, when using ADMT it will not be possible to migrate domain admins with sid history. ADMT will prevent that As most of the times the domain admins group of an NT4 domain is populated will al kinds of accounts, do not migrate the membership of the domain admins group in the source to the target Jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Sitton Glen E Sent: Wed 2006-01-11 20:33 To: [email protected] Subject: RE: [ActiveDir] NT and AD Permissions Hi Chandra, When you migrated the NT4 domain-admin account to your AD domain, did you keep "sidHistory"? If the new AD domain-admin account has the sidHistory of the old NT4 domain-admin account, it should have no trouble exercising 'domain-admin' rights in the NT4 domain. It will, in effect, be masquerading as the NT4 domain-admin. Look at the security token of your AD domain-admin account and see if the SID of the old NT4 domain-admin account is in there. If not, that's your problem. You need to migrate with sidHistory. - G ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Chandra Burra Sent: Wednesday, January 11, 2006 12:32 PM To: [email protected] Subject: Re: [ActiveDir] NT and AD Permissions yes it is.......and it was also domain admin in old NT domain. On 1/11/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: is that account member of the Domain Admins in AD? jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Chandra Burra Sent: Wed 2006-01-11 18:41 To: [email protected] Subject: [ActiveDir] NT and AD Permissions Hi, we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing?? Thanks in advance... Regards, Chandra This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
