Resolution
goal
Can DMA migrate or Map and Merge a built-in group, and will that mapping be taken into account when translating security?
fact
Domain Migration Administrator 7.x
fix
Domain Migration Administrator (DMA) can migrate well known groups because these groups have a different SID in each domain. This applies to groups such as Domain Admins and Domain Users. However, for built-in groups, such as Server Operators or Print Operators, the SID is the same in each domain and does not include a unique identifier for the domain name, and therefore cannot be migrated. DMA does not process built-in groups. This is because the group, such as Print Operators or Server Operators, will always be resolved to that group on the local machine, because the SID is recognized. Well Known accounts that have been migrated using the Migrate Groups, or Map and Merge Groups wizards will be processed according to the stored mapping information, when DMA translates security.
note
Please refer to the following knowledge base article for more information about Well Known and Built-In accounts:
note
Please refer to the following knowledge base article for more information about the behavior of Domain Migration Administrator when translating security on groups that have been mapped from source to target, using the Map and Merge wizard:
note
Please refer to the following Microsoft knowledge base article for more information about which accounts include well known SIDs:
Can DMA migrate or Map and Merge a built-in group, and will that mapping be taken into account when translating security?
fact
Domain Migration Administrator 7.x
fix
Domain Migration Administrator (DMA) can migrate well known groups because these groups have a different SID in each domain. This applies to groups such as Domain Admins and Domain Users. However, for built-in groups, such as Server Operators or Print Operators, the SID is the same in each domain and does not include a unique identifier for the domain name, and therefore cannot be migrated. DMA does not process built-in groups. This is because the group, such as Print Operators or Server Operators, will always be resolved to that group on the local machine, because the SID is recognized. Well Known accounts that have been migrated using the Migrate Groups, or Map and Merge Groups wizards will be processed according to the stored mapping information, when DMA translates security.
note
Please refer to the following knowledge base article for more information about Well Known and Built-In accounts:
- NETIQKB1468 - What is the difference between a 'Built-in' account and a 'Well-known' account?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1468
note
Please refer to the following knowledge base article for more information about the behavior of Domain Migration Administrator when translating security on groups that have been mapped from source to target, using the Map and Merge wizard:
- NETIQKB1150 - If the Map/Merge Groups task is executed to merge groups A, B, and C into a new group D, how is the Re-ACLing process handled?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB1150
note
Please refer to the following Microsoft knowledge base article for more information about which accounts include well known SIDs:
- 243330 - Well Known Security Identifiers in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;243330
Additional Information
Formerly known as NETIQKB17689