| Author | Messages | |
AD000001036
Posts:0
 | | 01/11/2006 5:43 AM |
| | Message body was not found. | | | |
| ZJORZ
Posts:99
| | 01/11/2006 5:51 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| AD000001036
Posts:0
| | 01/11/2006 6:34 AM |
| | Message body was not found. | | | |
| tkern
Posts:4
| | 01/11/2006 6:44 AM |
| On 1/11/06, Almeida Pinto, Jorge de wrote:
is that account member of the Domain Admins in AD?jorge________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra BurraSent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] NT and AD PermissionsHi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...Regards,ChandraThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| hcoleman
Posts:26
| | 01/11/2006 6:48 AM |
| Where are the C$/D$ shares? On the PDC, BDC, member
server?
What happens when you put the migrated account directly in
the NT4 Local Administrators group and bypass the nested group
config?
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra
BurraSent: Wednesday, January 11, 2006 10:41 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] NT and AD
Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin
account, but after migration, that account can not connect to admin shares like
C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators
group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra | | | |
| ZJORZ
Posts:99
| | 01/11/2006 6:54 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 19:32
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| AD000001036
Posts:0
| | 01/11/2006 7:14 AM |
| Don't you have to put the Domain Admin group from AD into every local Admin group on every pc where you want to access those shares?
Just putting the AD Domain Admins into the local Admin group on your NT DC's wont do it(except give you access to those admin shares on the DC's).
Am I reading you correctly?
Thanks
On 1/11/06, Chandra Burra wrote:
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de wrote:
is that account member of the Domain Admins in AD?jorge________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra BurraSent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] NT and AD PermissionsHi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...Regards,ChandraThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| glensitton
Posts:3
| | 01/11/2006 7:36 AM |
| Hi Chandra,
When you migrated the NT4 domain-admin account to your AD
domain, did you keep "sidHistory"? If the new AD domain-admin account has
the sidHistory of the old NT4 domain-admin account, it should have no trouble
exercising 'domain-admin' rights in the NT4 domain. It will, in effect, be
masquerading as the NT4 domain-admin.
Look at the security token of your AD domain-admin account
and see if the SID of the old NT4 domain-admin account is in there. If
not, that's your problem. You need to migrate with
sidHistory.
- G
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra
BurraSent: Wednesday, January 11, 2006 12:32 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] NT and AD
Permissions
yes it is.......and it was also domain admin in old NT
domain.
On 1/11/06, Almeida
Pinto, Jorge de jorge.de.almeida.pinto@xxxxxxxxxxxxx>
wrote:
is
that account member of the Domain Admins in
AD?jorge________________________________From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Chandra BurraSent: Wed 2006-01-11 18:41To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD PermissionsHi,we
have a NT domain and a new 2003 AD domain....Migrated a domain admin account,
but after migration, that account can not connect to admin shares like C$ or
D$...... is there any quick fix.. I have the Domain Admins group on AD
as a member of Local Administrators group on the NT Domain...is there
something i am missing??Thanks in
advance...Regards,ChandraThis e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by,
any other party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform the sender.
Thank you. | | | |
| ZJORZ
Posts:99
| | 01/11/2006 7:39 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 20:13
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
This is on a member server, I am able to access the D$ and C$ on the NT PDC and BDC....but on a member server....
putting these accounts on all member server??? this would be a difficult...as we have some 2000 server on NT domain??? and we do not have GP to do restrictive group....
Regards,
Chandra
On 1/11/06, Tom Kern wrote:
Don't you have to put the Domain Admin group from AD into every local Admin group on every pc where you want to access those shares?
Just putting the AD Domain Admins into the local Admin group on your NT DC's wont do it(except give you access to those admin shares on the DC's).
Am I reading you correctly?
Thanks
On 1/11/06, Chandra Burra wrote:
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de > wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
> | | | |
| ZJORZ
Posts:99
| | 01/11/2006 7:48 AM |
| yes... that is a solution (don't forget to clean it when not needed anymore!). however, when using ADMT it will not be possible to migrate domain admins with sid history. ADMT will prevent that
As most of the times the domain admins group of an NT4 domain is populated will al kinds of accounts, do not migrate the membership of the domain admins group in the source to the target
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sitton Glen E
Sent: Wed 2006-01-11 20:33
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Hi Chandra,
When you migrated the NT4 domain-admin account to your AD domain, did you keep "sidHistory"? If the new AD domain-admin account has the sidHistory of the old NT4 domain-admin account, it should have no trouble exercising 'domain-admin' rights in the NT4 domain. It will, in effect, be masquerading as the NT4 domain-admin.
Look at the security token of your AD domain-admin account and see if the SID of the old NT4 domain-admin account is in there. If not, that's your problem. You need to migrate with sidHistory.
- G
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra Burra
Sent: Wednesday, January 11, 2006 12:32 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001036
Posts:0
| | 01/11/2006 8:03 AM |
| | Message body was not found. | | | |
| tkern
Posts:4
| | 01/11/2006 10:05 AM |
| On 1/11/06, Chandra Burra wrote:
This is on a member server, I am able to access the D$ and C$ on the NT PDC and BDC....but on a member server....
putting these accounts on all member server??? this would be a difficult...as we have some 2000 server on NT domain??? and we do not have GP to do restrictive group....
Regards,
Chandra
On 1/11/06, Tom Kern wrote:
Don't you have to put the Domain Admin group from AD into every local Admin group on every pc where you want to access those shares?
Just putting the AD Domain Admins into the local Admin group on your NT DC's wont do it(except give you access to those admin shares on the DC's).
Am I reading you correctly?
Thanks
On 1/11/06, Chandra Burra wrote:
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de wrote:
is that account member of the Domain Admins in AD?jorge________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra BurraSent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] NT and AD PermissionsHi,
we have a NT domain and a new 2003 AD domain....Migrated a domain admin account, but after migration, that account can not connect to admin shares like C$ or D$...... is there any quick fix.. I have the Domain Admins group on AD as a member of Local Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...Regards,ChandraThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| GuidoG
Posts:56
| | 01/11/2006 10:44 AM |
| migrating the account with SIDhistory won't help you here
=> it's not the User's (and his respective NT4 SID) that is added to the
local admin group on all member servers and clients by default - it's the SID of
the NT4 Domain Admins group itself. When migrating the user with SIDhistory,
you're not adding the SID of this group to the user.
One option (which I certainly don't like - just trying to
explain for you) is to merge the Domain Admins group from the NT4 Domain into
the Domain Admins group of AD incl. SID history. But I'm not a friend of
doing this - I much preferr to add an appropriate AD group to the respective
servers' local admin group (and clients if required). This must not
necessarily be the AD Domain Admins group => it's your chance to get some
structure in the permission model on your servers...! The domain admin
will be added anyways, once you migrate the machines acrross to
AD.
But if everything has to be done quickly (as is often the
case), you can also use ADMT to add the Domain Admins to all your servers for
you: to do so, create an appropriate SID mapping file containing just the NT4
Domain Admins group + SID and AD Domain Admins group + SID and choose
to perform a security translation in ADD mode on all your servers in the source
domain. This will add the AD Domain Admins to the local admin group on the
target machines and give them the same permissions on files/shares/registry
etc. (if there are any specific ones set for the NT4 domain admins
group).
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra
BurraSent: Mittwoch, 11. Januar 2006 20:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir] NT and AD
Permissions
Jorge and Glen,
Thanks for the quick update...
I will breif here the steps i have taken...
1. This is a domain admin account which is being used from last 2years in
NT
2. I have migrated this using the Bindview BV Admin with SID
3. I have taken the option to cancell the migration if the SID fails...so,
the SID is in the new domain
4. Added this account to the Domain admin group manually as we wont move
the group from NT
5. The account in the source domain is still active.
Still no luck.,...not sure if this is the only tricky thing.....i have
another account which i can test...do you want me to do something
different??
Regards
Chandra
On 1/11/06, Almeida
Pinto, Jorge de jorge.de.almeida.pinto@xxxxxxxxxxxxx>
wrote:
yes...
that is a solution (don't forget to clean it when not needed anymore!).
however, when using ADMT it will not be possible to migrate domain admins with
sid history. ADMT will prevent that As most of the times the domain admins
group of an NT4 domain is populated will al kinds of accounts, do not migrate
the membership of the domain admins group in the source to the
targetJorge________________________________ From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Sitton Glen ESent: Wed 2006-01-11 20:33To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD PermissionsHi
Chandra,When you migrated the NT4 domain-admin account to your AD
domain, did you keep "sidHistory"? If the new AD domain-admin
account has the sidHistory of the old NT4 domain-admin account, it should have
no trouble exercising 'domain-admin' rights in the NT4 domain. It
will, in effect, be masquerading as the NT4 domain-admin. Look at the
security token of your AD domain-admin account and see if the SID of the old
NT4 domain-admin account is in there. If not, that's your
problem. You need to migrate with sidHistory.-
G________________________________From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Chandra BurraSent: Wednesday, January 11, 2006 12:32
PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
Re: [ActiveDir] NT and AD Permissionsyes it is.......and it was
also domain admin in old NT domain.On 1/11/06, Almeida Pinto,
Jorge de jorge.de.almeida.pinto@xxxxxxxxxxxxx>
wrote: is that account member of
the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
on behalf of Chandra Burra Sent:
Wed 2006-01-11 18:41 To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD
Permissions
Hi, we have a NT domain and a new
2003 AD domain....Migrated a domain admin account, but after migration, that
account can not connect to admin shares like C$ or D$...... is there any quick
fix.. I have the Domain Admins
group on AD as a member of Local Administrators group on the NT Domain...is
there something i am missing??
Thanks in advance...
Regards, Chandra
This e-mail and any
attachment is for authorised use by the intended recipient(s) only. It may
contain proprietary material, confidential information and/or be subject to
legal privilege. It should not be copied, disclosed to, retained or used by,
any other party. If you are not an intended recipient then please promptly
delete this e-mail and any attachment and all copies and inform the sender.
Thank you. List info : http://www.activedir.org/List.aspxList
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:132
| | 01/12/2006 1:15 AM |
| Me, I just add the appropriate group/user (from the target) to the local
administrators' group of every computer (in the source) by script.
on the PDC:
net view /Domain:NT4Domain >c:\computer-list.txt
then, in a batch file:
FOR /F %%i IN (computer-list.txt) DO echo Working on %%i...& set v1=%%i& call
:DoIt
:DoIt
cusrmgr -m %v1% -alg administrators add user -u 2K3Domain\User-or-Group-Name
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Grillenmeier, Guido
Sent: Wed 1/11/2006 2:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
migrating the account with SIDhistory won't help you here => it's not the
User's (and his respective NT4 SID) that is added to the local admin group on
all member servers and clients by default - it's the SID of the NT4 Domain
Admins group itself. When migrating the user with SIDhistory, you're not
adding the SID of this group to the user.
One option (which I certainly don't like - just trying to explain for you) is
to merge the Domain Admins group from the NT4 Domain into the Domain Admins
group of AD incl. SID history. But I'm not a friend of doing this - I much
preferr to add an appropriate AD group to the respective servers' local admin
group (and clients if required). This must not necessarily be the AD Domain
Admins group => it's your chance to get some structure in the permission
model on your servers...! The domain admin will be added anyways, once you
migrate the machines acrross to AD.
But if everything has to be done quickly (as is often the case), you can also
use ADMT to add the Domain Admins to all your servers for you: to do so,
create an appropriate SID mapping file containing just the NT4 Domain Admins
group + SID and AD Domain Admins group + SID and choose to perform a security
translation in ADD mode on all your servers in the source domain. This will
add the AD Domain Admins to the local admin group on the target machines and
give them the same permissions on files/shares/registry etc. (if there are
any specific ones set for the NT4 domain admins group).
/Guido
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra Burra
Sent: Mittwoch, 11. Januar 2006 20:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
Jorge and Glen,
Thanks for the quick update...
I will breif here the steps i have taken...
1. This is a domain admin account which is being used from last 2years in NT
2. I have migrated this using the Bindview BV Admin with SID
3. I have taken the option to cancell the migration if the SID fails...so,
the SID is in the new domain
4. Added this account to the Domain admin group manually as we wont move the
group from NT
5. The account in the source domain is still active.
Still no luck.,...not sure if this is the only tricky thing.....i have
another account which i can test...do you want me to do something different??
Regards
Chandra
On 1/11/06, Almeida Pinto, Jorge de
wrote:
yes... that is a solution (don't forget to clean it when not needed
anymore!). however, when using ADMT it will not be possible to migrate domain
admins with sid history. ADMT will prevent that
As most of the times the domain admins group of an NT4 domain is
populated will al kinds of accounts, do not migrate the membership of the
domain admins group in the source to the target
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sitton Glen E
Sent: Wed 2006-01-11 20:33
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Hi Chandra,
When you migrated the NT4 domain-admin account to your AD domain, did
you keep "sidHistory"? If the new AD domain-admin account has the sidHistory
of the old NT4 domain-admin account, it should have no trouble exercising
'domain-admin' rights in the NT4 domain. It will, in effect, be masquerading
as the NT4 domain-admin.
Look at the security token of your AD domain-admin account and see if
the SID of the old NT4 domain-admin account is in there. If not, that's your
problem. You need to migrate with sidHistory.
- G
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Chandra Burra
Sent: Wednesday, January 11, 2006 12:32 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de
wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra
Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a
domain admin account, but after migration, that account can not connect to
admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local
Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the
intended recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001036
Posts:0
| | 01/12/2006 1:54 AM |
| You are the savior Deji!!
i didn't knew that cusrmgr.exe can be used for adding user...i knew it as
only used for password reset...
But one last question...does the cusrmgr need to be local to all servers or
can i call it from my laptop??
Regards,
Chandra
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of
deji@xxxxxxxxxxxxxx
Sent: Wednesday, January 11, 2006 7:59 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Me, I just add the appropriate group/user (from the target) to the local
administrators' group of every computer (in the source) by script.
on the PDC:
net view /Domain:NT4Domain >c:\computer-list.txt
then, in a batch file:
FOR /F %%i IN (computer-list.txt) DO echo Working on %%i...& set v1=%%i&
call
:DoIt
:DoIt
cusrmgr -m %v1% -alg administrators add user -u 2K3Domain\User-or-Group-Name
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Grillenmeier, Guido
Sent: Wed 1/11/2006 2:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
migrating the account with SIDhistory won't help you here => it's not the
User's (and his respective NT4 SID) that is added to the local admin group
on
all member servers and clients by default - it's the SID of the NT4 Domain
Admins group itself. When migrating the user with SIDhistory, you're not
adding the SID of this group to the user.
One option (which I certainly don't like - just trying to explain for you)
is
to merge the Domain Admins group from the NT4 Domain into the Domain Admins
group of AD incl. SID history. But I'm not a friend of doing this - I much
preferr to add an appropriate AD group to the respective servers' local
admin
group (and clients if required). This must not necessarily be the AD Domain
Admins group => it's your chance to get some structure in the permission
model on your servers...! The domain admin will be added anyways, once you
migrate the machines acrross to AD.
But if everything has to be done quickly (as is often the case), you can
also
use ADMT to add the Domain Admins to all your servers for you: to do so,
create an appropriate SID mapping file containing just the NT4 Domain Admins
group + SID and AD Domain Admins group + SID and choose to perform a
security
translation in ADD mode on all your servers in the source domain. This will
add the AD Domain Admins to the local admin group on the target machines and
give them the same permissions on files/shares/registry etc. (if there are
any specific ones set for the NT4 domain admins group).
/Guido
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra Burra
Sent: Mittwoch, 11. Januar 2006 20:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
Jorge and Glen,
Thanks for the quick update...
I will breif here the steps i have taken...
1. This is a domain admin account which is being used from last 2years in NT
2. I have migrated this using the Bindview BV Admin with SID
3. I have taken the option to cancell the migration if the SID fails...so,
the SID is in the new domain
4. Added this account to the Domain admin group manually as we wont move the
group from NT
5. The account in the source domain is still active.
Still no luck.,...not sure if this is the only tricky thing.....i have
another account which i can test...do you want me to do something
different??
Regards
Chandra
On 1/11/06, Almeida Pinto, Jorge de
wrote:
yes... that is a solution (don't forget to clean it when not needed
anymore!). however, when using ADMT it will not be possible to migrate
domain
admins with sid history. ADMT will prevent that
As most of the times the domain admins group of an NT4 domain is
populated will al kinds of accounts, do not migrate the membership of the
domain admins group in the source to the target
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sitton Glen E
Sent: Wed 2006-01-11 20:33
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Hi Chandra,
When you migrated the NT4 domain-admin account to your AD domain,
did
you keep "sidHistory"? If the new AD domain-admin account has the
sidHistory
of the old NT4 domain-admin account, it should have no trouble exercising
'domain-admin' rights in the NT4 domain. It will, in effect, be
masquerading
as the NT4 domain-admin.
Look at the security token of your AD domain-admin account and see
if
the SID of the old NT4 domain-admin account is in there. If not, that's
your
problem. You need to migrate with sidHistory.
- G
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Chandra Burra
Sent: Wednesday, January 11, 2006 12:32 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de
wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra
Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a
domain admin account, but after migration, that account can not connect to
admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local
Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the
intended recipient(s) only. It may contain proprietary material,
confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment
and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> | | | |
| deji
Posts:132
| | 01/12/2006 2:08 AM |
| You are doing all this from a central point (e.g. from the PDC), so you only
need it in that central location. You don't need to copy it to any target
system.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra Burra
Sent: Wed 1/11/2006 5:49 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
You are the savior Deji!!
i didn't knew that cusrmgr.exe can be used for adding user...i knew it as
only used for password reset...
But one last question...does the cusrmgr need to be local to all servers or
can i call it from my laptop??
Regards,
Chandra
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of
deji@xxxxxxxxxxxxxx
Sent: Wednesday, January 11, 2006 7:59 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Me, I just add the appropriate group/user (from the target) to the local
administrators' group of every computer (in the source) by script.
on the PDC:
net view /Domain:NT4Domain >c:\computer-list.txt
then, in a batch file:
FOR /F %%i IN (computer-list.txt) DO echo Working on %%i...& set v1=%%i& call
:DoIt
:DoIt
cusrmgr -m %v1% -alg administrators add user -u 2K3Domain\User-or-Group-Name
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Grillenmeier, Guido
Sent: Wed 1/11/2006 2:42 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
migrating the account with SIDhistory won't help you here => it's not the
User's (and his respective NT4 SID) that is added to the local admin group on
all member servers and clients by default - it's the SID of the NT4 Domain
Admins group itself. When migrating the user with SIDhistory, you're not
adding the SID of this group to the user.
One option (which I certainly don't like - just trying to explain for you) is
to merge the Domain Admins group from the NT4 Domain into the Domain Admins
group of AD incl. SID history. But I'm not a friend of doing this - I much
preferr to add an appropriate AD group to the respective servers' local admin
group (and clients if required). This must not necessarily be the AD Domain
Admins group => it's your chance to get some structure in the permission
model on your servers...! The domain admin will be added anyways, once you
migrate the machines acrross to AD.
But if everything has to be done quickly (as is often the case), you can also
use ADMT to add the Domain Admins to all your servers for you: to do so,
create an appropriate SID mapping file containing just the NT4 Domain Admins
group + SID and AD Domain Admins group + SID and choose to perform a security
translation in ADD mode on all your servers in the source domain. This will
add the AD Domain Admins to the local admin group on the target machines and
give them the same permissions on files/shares/registry etc. (if there are
any specific ones set for the NT4 domain admins group).
/Guido
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Chandra Burra
Sent: Mittwoch, 11. Januar 2006 20:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
Jorge and Glen,
Thanks for the quick update...
I will breif here the steps i have taken...
1. This is a domain admin account which is being used from last 2years in NT
2. I have migrated this using the Bindview BV Admin with SID
3. I have taken the option to cancell the migration if the SID fails...so,
the SID is in the new domain
4. Added this account to the Domain admin group manually as we wont move the
group from NT
5. The account in the source domain is still active.
Still no luck.,...not sure if this is the only tricky thing.....i have
another account which i can test...do you want me to do something different??
Regards
Chandra
On 1/11/06, Almeida Pinto, Jorge de
wrote:
yes... that is a solution (don't forget to clean it when not needed
anymore!). however, when using ADMT it will not be possible to migrate domain
admins with sid history. ADMT will prevent that
As most of the times the domain admins group of an NT4 domain is
populated will al kinds of accounts, do not migrate the membership of the
domain admins group in the source to the target
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sitton Glen E
Sent: Wed 2006-01-11 20:33
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] NT and AD Permissions
Hi Chandra,
When you migrated the NT4 domain-admin account to your AD domain, did
you keep "sidHistory"? If the new AD domain-admin account has the sidHistory
of the old NT4 domain-admin account, it should have no trouble exercising
'domain-admin' rights in the NT4 domain. It will, in effect, be masquerading
as the NT4 domain-admin.
Look at the security token of your AD domain-admin account and see if
the SID of the old NT4 domain-admin account is in there. If not, that's your
problem. You need to migrate with sidHistory.
- G
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx ] On Behalf Of Chandra Burra
Sent: Wednesday, January 11, 2006 12:32 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] NT and AD Permissions
yes it is.......and it was also domain admin in old NT domain.
On 1/11/06, Almeida Pinto, Jorge de
wrote:
is that account member of the Domain Admins in AD?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Chandra
Burra
Sent: Wed 2006-01-11 18:41
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] NT and AD Permissions
Hi,
we have a NT domain and a new 2003 AD domain....Migrated a
domain admin account, but after migration, that account can not connect to
admin shares like C$ or D$...... is there any quick fix..
I have the Domain Admins group on AD as a member of Local
Administrators group on the NT Domain...is there something i am missing??
Thanks in advance...
Regards,
Chandra
This e-mail and any attachment is for authorised use by the
intended recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|