Announcement

Collapse
No announcement yet.

ADMT/SID mapping question.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ADMT/SID mapping question.

    I have migrated users from an NT4 domain to AD (win2k3). Some of the desktop team are members of the Domain Adminís group in NT4, how can I migrate the SID for the Domain admin group in NT4 to the desktop support team security group in AD.

    Thanks in advance.

  • #2
    Re: ADMT/SID mapping question.

    AFAIK, the "Domain Admins" SID is the same for all Windows NT based products - with the exception that the SID of the domain it belongs to is incorporated into it.

    It should be recognised as the Domain Admins group in whichever domain you use it.

    Could you please explain a little more clearly what results you want to achieve?


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: ADMT/SID mapping question.

      Originally posted by Longford View Post
      I have migrated users from an NT4 domain to AD (win2k3). Some of the desktop team are members of the Domain Admin’s group in NT4, how can I migrate the SID for the Domain admin group in NT4 to the desktop support team security group in AD.
      Thanks in advance.
      you can not, Domain Admins group is considered as a Build in account, build in accounts could not be Migrated.

      and BTW - you never Migrate SID , what you do is you add the Old SID to the SID History of the new group that was created by the migration,
      Since build in accounts could not be Migrated, you can't SID History it anyway.

      if you want those few users to be a member of the Old Domain Admins group , then just add those new created (AD 2003 users) to the Domain Admins group of the NT4 (I am not sure if it would let you add them or not) and if not possible then add them to the Administrators Group in the NT4 Domain.

      Please move this post to Active Directory section, thanks.
      Last edited by Akila; 28th September 2008, 11:01.

      Comment


      • #4
        Re: ADMT/SID mapping question.

        Originally posted by Akila View Post
        Please move this post to Active Directory section, thanks.
        You can use the report button (yellow sign) to report it to the forum mods/admins.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: ADMT/SID mapping question.

          Originally posted by Dumber View Post
          You can use the report button (yellow sign) to report it to the forum mods/admins.
          never knew that,
          I thought the Report button is for reporting an Abuse post, etc.

          Comment


          • #6
            Re: ADMT/SID mapping question.

            Thanks for the update. What I am trying to achieve is:

            NT Domain AD
            Domain admins = Desktop Support

            This will allow members of the Desktop support group to have the same rights they had on the NT4 domain, but not given the same rights on AD.

            Comment


            • #7
              Re: ADMT/SID mapping question.

              Originally posted by Longford View Post
              Thanks for the update. What I am trying to achieve is:

              NT Domain AD
              Domain admins = Desktop Support

              This will allow members of the Desktop support group to have the same rights they had on the NT4 domain, but not given the same rights on AD.
              I understood nothing of what you want

              Comment


              • #8
                Re: ADMT/SID mapping question.

                I am migratimg from an NT 4 domain and the Desktop team have admin rights (using Domain admins security group) on some servers including file & print.

                In the new domain (AD) I want to create a group and assosicate it to the domain admins group in NT4.

                This allows the desktop team to have the same access to resources and does not grant them domain admin rights on AD.

                Comment


                • #9
                  Re: ADMT/SID mapping question.

                  once you migrate the users and groups, none of those users would be in the Domain Admins group.
                  to grant the new created/migrated group full control over the servers and Desktops, what you should do is create a Group - for the argument lets call it "Computer Admins", add those users you wish having the full control over the Servers/Machines.
                  Next, in the AD group policy under Computer -> security -> Restricted Group add this group to be a member of the Administrators group of every local machine.
                  what would happen is that that group would automatically be added to the local Administrators group on every machine allowing your team having a full control over the machine but yet not being a Domain Admin of the AD.
                  for more Info on how to use "Restricted Groups" use the following links or just "how to use restricted groups"
                  http://www.windowsecurity.com/articl...ed-Groups.html
                  http://technet.microsoft.com/en-us/l.../cc785631.aspx

                  Comment


                  • #10
                    Re: ADMT/SID mapping question.

                    I have figured it out. Take the security group in the ad domain and add it to the administrators local group in NT. The administrators local group is a member of the domain admins group (global).

                    Thanks all for your help.

                    Comment

                    Working...
                    X