Just wanted to sound people out on issues of migration - specifically regarding the "Domain Admins" global group and strategy for migration of resources in which this group is a member of the local "Administrators" group.
as i know the "Domain Admins" is not able to be migrated as already exists in the target domain. this creates an issue as a user who is a member of this global group in the source domain will not be in the scenario of a group that has been migrated this would be provided for as the users access token would include the SID of the global group in the source domain (having been enumerated from the SIDhistory attribute of the global group in the target domain). however no such "luxury" with Domain Admins ! seems a way (not sure if this is an optimal strategy though !) is to use the "Group mapping and merging wizard" as i understand will create a mapping between the SID's of the "Domain Admins" global groups in the source and target domains. i would expect this to be then used by the "security and translation wizard" and duplicate the entry for the sourcedom\Domain Admins with targetdom\Domain Admins based on the given the only limitation i can see with this is you will need to have completed the security translation on all member servers and workstations prior to migration of the user accounts of the members of the Domain Admins group in the source domain to retain the above security. unless of course i am missing a trick here and utilise somehow the SIDhistory of the Domain Admins global group. ??? Thanks GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
