It is considered the best practice for the migration project with trusts established between source and target domains to rely on single migration account for both AD and Exchange parts. What is the recommended way to obtain administrative rights over the source workstations and member servers during resource updating phase?
The most obvious approach of adding migration account to Domain Administrators group has some limitations:
1. Domain Admins group has explicit Deny on Send As/Receive As. This affects Exchange migration where this permission is necessary to successfully log into mailboxes.
2. Migration account is normally created in the target domain. Domain Admins group has Global scope and can not contain users from other domains.
OPTION 1. Using Batch option in RUM
"Net LocalGroup Administrators Domain\User /Delete"
OPTION 2.Using Restricted Groups GPO
A) Create a Domain Local group on the source called "QMM Source".Add target QMM service account (example: targetdomainsvc_qmm) to this group.Add "QMM Source" group as a Restricted Group in the source Default Domain Policy GPO Computer section.In the properties of this Restricted Group, set the property page so that the group itself is to be made a member of "Administrators"
B) Create a Domain Global group on the target called "QMM".Add target QMM service account (example: targetdomainsvc_qmm) to this group.Add "QMM Target" group as a Restricted Group in the source Default Domain Policy GPO Computer section.In the properties of this Restricted Group, set the property page so that the group itself is to be made a member of "Administrators"
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center