none
ADMT access denied

    Question

  • When I run ADMT on a one domain controller and select a target domain controller other than the one I am running ADMT from, the user migration fails with an error that the object could not be created because of access denied.  ie. If I run ADMT from the console of DC1 and select DC2 as the target - it fails.  If I run from DC2 and select DC1 as the target - it fails, If I run from DC1 and the target is DC1 it is fine, and if I run from DC2 and select DC2 as the target it is fine.  The root of what I'm trying to acomplish here is to run ADMT from a member server with a special account with delegated priviledges to a specific OU so that I can delegate this ADMT process without having to let the delegate log into my DC.

    Friday, February 05, 2010 3:17 PM

Answers

  • If you select a target DC other than the one you are running ADMT on then the DC needs to have the NT4Crypto registry entry on the DC and you must delegate Allow SID migration to the source user account for the target Domain/OU.  Interestingly I did not need either of these things when the target DC was the DC that the ADMT utility was being run on.
    • Marked as answer by Todd SCSI Friday, February 05, 2010 9:34 PM
    Friday, February 05, 2010 9:33 PM

All replies

  • To provide more information, the target DCs are 2008 standard and I am running the ADMT using a domain Admin account.  AD is at the 2008 functional level.  There is full connectivity between DCs.  I have tried multiple DCs as targets with the same results.
    Friday, February 05, 2010 3:45 PM
  • The registry entry AllowNT4Crypto has helped as the user object now migrates, but SID history is still failing if I select a target DC other than the DC I am running the ADMT utility on.
    Friday, February 05, 2010 6:20 PM
  • If you select a target DC other than the one you are running ADMT on then the DC needs to have the NT4Crypto registry entry on the DC and you must delegate Allow SID migration to the source user account for the target Domain/OU.  Interestingly I did not need either of these things when the target DC was the DC that the ADMT utility was being run on.
    • Marked as answer by Todd SCSI Friday, February 05, 2010 9:34 PM
    Friday, February 05, 2010 9:33 PM