{"id":878,"date":"2012-02-29T10:50:59","date_gmt":"2012-02-29T09:50:59","guid":{"rendered":"http:\/\/blogs.chrisse.se\/?p=878"},"modified":"2012-02-29T10:50:59","modified_gmt":"2012-02-29T09:50:59","slug":"how-to-handle-built-in-domain-groups-with-admt","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=878","title":{"rendered":"How to handle built-in domain groups with ADMT"},"content":{"rendered":"<p>If you ever performed a migration with the Active Directory Migration Tool (ADMT) it probably has come to your attention that you can&#8217;t migrate built-in domain groups, the reason for this is simple \u2013 those are groups has well-known SIDs ore more specifically well-known RIDs \u2013 meaning that their RIDs are the same in any domain.<\/p>\n<p>The ADMT Migration Log will state the following:<\/p>\n<p style=\"margin-left: 72pt;\"><span style=\"font-family: Franklin Gothic Demi; font-size: 10pt;\">Table\u00a01: Migration Log<br \/>\n<\/span><\/p>\n<div style=\"margin-left: 77pt;\">\n<table style=\"border-collapse: collapse;\" border=\"0\">\n<colgroup>\n<col style=\"width: 949px;\" \/><\/colgroup>\n<tbody valign=\"top\">\n<tr style=\"background: #d9d9d9;\">\n<td style=\"padding-left: 7px; padding-right: 7px; border-top: solid gray 1.5pt; border-left: solid gray 1.5pt; border-bottom: solid gray 0.5pt; border-right: solid gray 1.5pt;\" valign=\"middle\">\n<p style=\"text-align: center;\"><span style=\"font-family: Franklin Gothic Demi Cond; font-size: 9pt;\">ADMT Migration Log &#8211; Sample<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 7px; padding-right: 7px; border-top: none; border-left: solid gray 1.5pt; border-bottom: solid gray 1.5pt; border-right: solid gray 1.5pt;\"><span style=\"font-family: Arial; font-size: 9pt;\">Active Directory Migration Tool &#8211; scripted group migration started.<br \/>\n<\/span><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Users&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Domain Guests&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Group Policy Creator Owners&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Pre-Windows 2000 Compatible Access&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Performance Log Users&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Windows Authorization Access Group&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Remote Desktop Users&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Enterprise Admins&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Schema Admins&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Guests&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Domain Users&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Terminal Server License Servers&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Domain Admins&#8217; is a built-in or well-known account. The object will not be migrated.<br \/>\n<\/span><\/p>\n<p><span style=\"font-family: Arial; font-size: 9pt;\">WRN1:0135 The object &#8216;Administrators&#8217; is a built-in or well-known account. The object will not be migrated<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>&nbsp;<\/p>\n<p><strong>The problem<\/strong><br \/>\nThis causes an issue if you want to preserve access to resources in the source domain, once a user account has been migrated to the target domain, this is usually accomplished by using sIDHistory \u2013 (Migrated users and groups inherit their source SID in the sIDHistory attribute \u2013 You can read more here: <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc779590(v=ws.10).aspx\">Using SID History to Preserve Resource Access<\/a>)<\/p>\n<p>If you have ACLs (Access Control Lists) that contain ACEs (Access Control Entries) either granting or denying rights on a File Share to for example the &#8220;Domain Users&#8221; group (a group with a well-known SID) in &#8220;source.dom&#8221; and a user &#8220;John&#8221; who is member of &#8220;Domain Users&#8221; are migrated from &#8220;source.dom&#8221; to &#8220;target.dom&#8221; with sIDHistory (since built-in groups aren&#8217;t migrated \u2013 John would know lose the presence of the &#8220;Domain Users&#8221; group in &#8220;source.dom&#8221; in his token and can therefore no longer access resources in &#8220;source.dom&#8221; that was granted to him by the &#8220;Domain Users&#8221; group, the example below.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle1.png\" alt=\"\" \/><\/p>\n<p><strong>The solution using Security Translation<br \/>\n<\/strong>The Active Directory Migration Tool (ADMT) has a feature called Security Translation \u2013 briefly described; Security Translation can translate security references on objects in Windows NT:<\/p>\n<ul>\n<li>Files and Folders (NTFS)<\/li>\n<li>Shares (Share Permissions)<\/li>\n<li>Printers<\/li>\n<li>Registry<\/li>\n<li>Local Groups<\/li>\n<li>User Profiles<\/li>\n<li>User Rights<\/li>\n<\/ul>\n<p>Usually security translation is taking place once a resource has been migrated from the source domain to the target domain, running the security translation will effectively replace SIDs (sIDHistory) for Security Principals from the source domain that has been migrated to SIDs in the target domain, this is referred to as the &#8220;Replace&#8221; operation.<\/p>\n<p>We are going to use the &#8220;Add&#8221; operation in order to solve the issue with built-in groups \u2013 as we can&#8217;t migrate built-in groups.<\/p>\n<p>We&#8217;re going to create a &#8220;fictive&#8221; &#8220;Domain Users&#8221; group in the target domain (Making source that all users being migrated from the source domain are being members of this group once migrated) and we&#8217;re going to use the Security Translation to grant this &#8220;fictive&#8221; &#8220;Domain Users&#8221; the exactly same permissions as the &#8220;Domain Users&#8221; group in the source domain has using the security Translation Wizard.<\/p>\n<p><strong>Step-by-Step<br \/>\n<\/strong><\/p>\n<ol>\n<li>\n<div>Let&#8217;s create group in &#8220;target.dom&#8221; named: &#8220;Source_Domain Users&#8221; \u2013 obtain the SID of the newly created group, as well obtin the SID of the &#8220;Domain Users&#8221; group in &#8220;source.dom&#8221;.Create a SID Mapping file that we&#8217;re going to use in ADMT and the Security Translation Wizard.<br \/>\nThe format of this file is &lt;source sid&gt;,&lt;target sid&gt; in this case that is &lt;real domain users group in source&gt;, &lt;fictive domain users group in target&gt;<\/div>\n<p style=\"margin-left: 36pt;\"><span style=\"font-family: Franklin Gothic Demi; font-size: 10pt;\">Table\u00a02: SIDMappingFile<br \/>\n<\/span><\/p>\n<\/li>\n<\/ol>\n<div style=\"margin-left: 77pt;\">\n<table style=\"border-collapse: collapse;\" border=\"0\">\n<colgroup>\n<col style=\"width: 949px;\" \/><\/colgroup>\n<tbody valign=\"top\">\n<tr style=\"background: #d9d9d9;\">\n<td style=\"padding-left: 7px; padding-right: 7px; border-top: solid gray 1.5pt; border-left: solid gray 1.5pt; border-bottom: solid gray 0.5pt; border-right: solid gray 1.5pt;\" valign=\"middle\">\n<p style=\"text-align: center;\"><span style=\"font-family: Franklin Gothic Demi Cond; font-size: 9pt;\">SIDMappingFile Sample<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"padding-left: 7px; padding-right: 7px; border-top: none; border-left: solid gray 1.5pt; border-bottom: solid gray 1.5pt; border-right: solid gray 1.5pt;\"><span style=\"font-family: Arial; font-size: 9pt;\">S-1-5-21-1429931347-2825349181-4189204843-513,S-1-5-21-3530694592-736403133-1610603870-21311<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle2.png\" alt=\"\" \/><\/p>\n<p>Save the SIDMapping file as &#8220;SOURCE_TARGET_Domain Users.txt&#8221;<\/p>\n<p>Star the Security Translation Wizard in the Active Directory Migration Tool (ADMT):<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle3.png\" alt=\"\" \/><\/p>\n<ol>\n<li>Select the &#8220;Other objects specified in a file&#8221; option and type the path to the mapping file we created in Step 1.<br \/>\n<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle4.png\" alt=\"\" \/><\/li>\n<li>Select the appropriate target and source domains.<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle5.png\" alt=\"\" \/><\/li>\n<li>You should now select all active member servers within the source domain (because you probably don&#8217;t know exactly which servers that contain ACEs (Access Control Entries) with the Domain Users group.<strong>Note: <\/strong>I recommend gathering a list of active member servers in the source domain and processing them in batches of 20-30.<br \/>\n<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle6.png\" alt=\"\" \/><\/li>\n<li>Select where you want to translate security.<br \/>\n<strong>Note:<\/strong>I recommend the selected only, as it&#8217;s very unlikely that the others contain ACLs\/ACEs with Domain Users. (You more you select \u2013 the longer time it takes to process each server)<br \/>\n<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle7.png\" alt=\"\" \/><\/li>\n<li>Select the &#8220;Add&#8221; operation, as we want to grant our &#8220;fictive&#8221; &#8220;SOURCE_Domain Users&#8221; group the same permissions as the real &#8220;Domain Users&#8221; group without replacing\/removing it \u2013 doing so will instead result in lost access for users that hasn&#8217;t been migrated yet.<strong>Note:<\/strong>Verify twice that you really have selected the &#8220;Add&#8221; operation.<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle8.png\" alt=\"\" \/><\/li>\n<li>You&#8217;re now ready to start the operation.<strong>Note:<\/strong>You might end-up with security issues if the account you&#8217;re running this operation with isn&#8217;t member of the local administrators group on all servers you intend to translate security on (e.g all member servers in the source domain \u2013 you can accomplish that with GPOs or scripting)<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle9.png\" alt=\"\" \/><\/li>\n<\/ol>\n<p><strong>Let&#8217;s see now how it works<br \/>\n<\/strong><\/p>\n<p>Once security translation has been performed the &#8220;SOURCE_Domain Users&#8221; group should now have been granted the same rights as the real &#8220;Domain Users&#8221; group in the source domain &#8220;source.dom&#8221; it should look like:<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle10.png\" alt=\"\" \/><br \/>\nLet&#8217;s now migrate &#8220;John&#8221; from &#8220;source.dom&#8221; to &#8220;target.dom&#8221; and make him a member of &#8220;SOURCE_Domain Users&#8221;<br \/>\n<img decoding=\"async\" src=\"http:\/\/blogs.chrisse.se\/wordpress\/wp-content\/uploads\/2012\/02\/022912_0950_Howtohandle11.png\" alt=\"\" \/><\/p>\n<p><strong>Summary<br \/>\n<\/strong><\/p>\n<p>I&#8217;m working on a domain migration and consolidation project where we discovered that it was very common in the source domains that ACLs (Access Control Lists) contained ACEs (Access Control Entries) with the built-in &#8220;Domain Users&#8221; group \u2013 resulting in lost permissions for migrated uses (We applied this workaround on 80~ domains being all migrated to a single domain\/forest) \u2013 Running Security Translation in domains with 1000+ member servers could take an entire week, I&#8217;ve recommend to perform security translations on lager file servers off business hours cause the ADMT agent can consume notable amount of CPU.<\/p>\n<p>If someone is interested we had to write a script to do basically the same on NetApp Filers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you ever performed a migration with the Active Directory Migration Tool (ADMT) it probably has come to your attention that you can&#8217;t migrate built-in domain groups, the reason for this is simple \u2013 those are groups has well-known SIDs ore more specifically well-known RIDs \u2013 meaning that their RIDs are the same in any &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=878\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How to handle built-in domain groups with ADMT&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-878","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=878"}],"version-history":[{"count":0,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/878\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}