Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » How to assign Domain admin credential to User from trusted domain
How to assign Domain admin credential to User from trusted domain [message #157815] Tue, 14 July 2009 21:26 Go to next message
Tom  is currently offline Tom
Messages: 210
Registered: July 2009
Senior Member
I am using the ADMT to migrate users from a Windows 2003 domain to a Windows
2008 domain in a different forest. I need to migrate the SID history with the
users. The technet article states the following
"Delegated Read all user information permission on the user OU or group OU
and domain administrator credential"
My problem is that using AD Users & Computers in the source domain there is
no option to add my migration account from the target domain to the Domain
Admins group in the source domain. The target trusted domain does not show up
as an available option to add accounts from. (There is a two way trust setup
between both domains and it is working)
The ADMT wizzard will not allow me to migrate the SID history without this.
Is there some way around this?
Thanks
Re: How to assign Domain admin credential to User from trusted domain [message #157826 is a reply to message #157815] Wed, 15 July 2009 05:16 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello tom,

Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
Admins

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Delegated Read all user information permission on the user OU or group
> OU
>
Re: How to assign Domain admin credential to User from trusted domain [message #157839 is a reply to message #157815] Wed, 15 July 2009 08:23 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
If you can't see any users or groups from the source domain it sounds like
the trust isn't setup/working properly. Can you see users/groups from any
server within the source domain. If you can see users and groups but not be
able to place users in a particular group it is probably just because the
group you are intending to use can't contain members from another
domain/forest.

You need to be aware of the group scope:
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Tom" <Tom@discussions.microsoft.com> wrote in message
news:506DB6A9-DB8E-469E-89B9-7E6DC5172A6B@microsoft.com...
>I am using the ADMT to migrate users from a Windows 2003 domain to a
>Windows
> 2008 domain in a different forest. I need to migrate the SID history with
> the
> users. The technet article states the following
> "Delegated Read all user information permission on the user OU or group OU
> and domain administrator credential"
> My problem is that using AD Users & Computers in the source domain there
> is
> no option to add my migration account from the target domain to the Domain
> Admins group in the source domain. The target trusted domain does not show
> up
> as an available option to add accounts from. (There is a two way trust
> setup
> between both domains and it is working)
> The ADMT wizzard will not allow me to migrate the SID history without
> this.
> Is there some way around this?
> Thanks
>
Re: How to assign Domain admin credential to User from trusted dom [message #157850 is a reply to message #157826] Wed, 15 July 2009 13:50 Go to previous messageGo to next message
Tom  is currently offline Tom
Messages: 210
Registered: July 2009
Senior Member
Hi Meinolf,
Eventhough both domains trust eachother domain2 is not an available option
when I attempt to add an account or group from domain1. Universal and Global
groups do not appear to accept accounts from a trusted domain, they also do
not accept accounts grom Domain Local Security groups in the same domain.
How do I give an account from a trusted domain admin priviliges on a
trusting domain?


"Meinolf Weber [MVP-DS]" wrote:

> Hello tom,
>
> Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
> Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
> Admins
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Delegated Read all user information permission on the user OU or group
> > OU
> >
>
>
>
Re: How to assign Domain admin credential to User from trusted dom [message #157851 is a reply to message #157850] Wed, 15 July 2009 13:59 Go to previous message
Tom  is currently offline Tom
Messages: 210
Registered: July 2009
Senior Member
Just realized the group I need to add the other domain admin to is the
Builtin/administrators group

"Tom" wrote:

> Hi Meinolf,
> Eventhough both domains trust eachother domain2 is not an available option
> when I attempt to add an account or group from domain1. Universal and Global
> groups do not appear to accept accounts from a trusted domain, they also do
> not accept accounts grom Domain Local Security groups in the same domain.
> How do I give an account from a trusted domain admin priviliges on a
> trusting domain?
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello tom,
> >
> > Create a universal group in Domain1 (maybe Domain1\ADMTAdmin), add Domain2\Domain
> > Admins to Domain1\ADMTAdmins, now you can add Domain1\ADMTAdmins to Domain1\Domain
> > Admins
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > Delegated Read all user information permission on the user OU or group
> > > OU
> > >
> >
> >
> >
Previous Topic:How to update specific user attribute in ADAM
Next Topic:Replacing first DC in a 2003 AD domain
Goto Forum:
  


Current Time: Wed Oct 18 01:42:43 EDT 2017

Total time taken to generate the page: 0.05238 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software