When migrating or synchronizing users who have the Domain Admins set as their Primary Group on the source, as a result they will be members of the target Domain Admins and have that group as primary as well.
This is by the design of the DSA
WORKAROUND 1:
1. On the DSA server browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeDSACtrl_{Server-Name}\Config\AD_Target_Part
2. Create the following new string value WellKnownRIDs, and set the value to 513;514;515;516;517;518;519;520 (Excluding the 512 from the list which is the RID for Domain Admins).
3. Migrate or synchronize the required users (please note that all the users who had the Domain Admins as their primary group on source will have Domain Users as a result of the above modification).
4. Stop the synchronization job (if running) and Full Re-sync for the change to take affect.
WORKAROUND 2:
Re-set the source users to exclude them from the Domain Admins as their Primary Groups
© ALL RIGHTS RESERVED. Feedback 使用条款 隐私 Cookie Preference Center