How do I migrate users or groups to a specific OU with a non-Domain Admin account that has been dele (NETIQKB922)

  • 7700922
  • 02-Feb-2007
  • 08-Aug-2007

Resolution

goal
How do I migrate users or groups to a specific OU with a non-Domain Admin account that has been delegated control over that OU?

goal
How do I migrate users or groups with SID History to a specific OU with a non-Domain Admin account that has been delegated control over that OU?

fact
Domain Migration Administrator 7.x

fix

Migrating Users or Groups

A user who has been granted delegated rights to an Organizational Unit (OU) (e.g. create, groups, reset passwords etc), can migrate the account from the source (where it must have admin rights) to the target in which it has been delegated control over an OU. The logged on migration account will ONLY be able to migrate to that specific OU.

Note: This is only a supported configuration when using DMA 7.x.

Migrating Users or Groups with SID History

If you are planning to migrate accounts with SID History to a Microsoft Windows 2000  Domain, the account must be a Domain Admin. However, if you are migrating to Microsoft Windows 2003, you can use a delegated OU Admin account and provide that account the Migrate SID History permission to the domain object in Active Directory Users and Computers.

Note: Support for migrating to a Microsoft Windows 2003  domain using the Migrate SID History permission was first added in DMA 7.2. If you have a version prior to DMA 7.2, you will have to be a Domain Admin to migrate SID History, even if the domain is a Microsoft Windows 2003  domain.



note

Please refer to the following Knowledge Base article for more information regarding the requirements for migrating SID History:

What are the requirements for using Domain Migration Administrator when migrating with SID History?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB4365  



Additional Information

Formerly known as NETIQKB922