you can migrate most objects from the source even without
admin rights to them - the default auth. user already has plenty of permissions
to read most attributes you would care to migrate.
You could still setup passwords migration without giving
them domain admin privs to your source domain - you would install the PES
server for them instead on one of your DCs (you'd need to exchange the PES key
ofcourse).
Migrating SID history on the other hand, requires admin
privs on the source domain => while you can delegate SIDhistory migration to
the target, I've always complained that you can't delegate it on the
source. Full control on the respective Users OU in your source domain is
not enough.
But if they do their part right (i.e. reacl all their
resources in a two step approach 1st add new acls prior to "activating" the
target accounts, 2nd remove old acls after all users use the new
accounts), they don't really need SIDhistory and can spare themselves from
having to clean it up later.
You'll still have the same challenges with apps as you
always do and if you also use exchange, then migrating their mailboxes is a
totally different story. Another special challenge in your scenario is
group migration => depending on how your security model is setup, they may
very likel need to migrate groups that don't "belong" to them, but that they
need to have access to their resources (and allowing to re-acl them). This
doesn't mean that they need to migrate the members that don't belong to "their"
unit, but they do need read permissions on most of your groups (which most users
have by default anyways...).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Thursday, July 27, 2006 9:27 AM
To: [email protected]
Subject: [ActiveDir] Migration without domain admin rights possible?
Hi Guys,
We have a peculiar requirement, that one of the small group of around 300
users will be parting from corporate AD and will be setting up there own
forest.
We will be using ADMT 3.0 for migration.
source DFL & FFL : windows 2000 native
Target DFL & FFL : Windows 2003
Two way trust between domains.
We would be giving FULL control rights over those 300 users and
their computers account to new admins of new forest.
also, they are added to local admins of those computers to be migrated.
They have domain admins rights in Target domain.
We don't want to add them into administrators group on source domains (i.e.
corporate AD)
Is it possible to migrate, users,groups and computers?
What will break, in migration?
I can think of, we will not be installing PES as a result so, NO password
migration. anything else?
Thanking you in advance,
--
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Never confuse movement with action."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Never confuse movement with action."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
