Addressing Permissions Issues When Migrating Desktops

Previous page
Table of content
Next page

Now that you understand migration concepts and options available using the Active Directory Migration Tool, let's focus on desktop migration and options that can be implemented to ease the client experience during the migration.

Using the Active Directory Migration Tool, domain member desktop systems can be migrated from the source Windows NT domain to the target domain with little to no need for user intervention. By preparing and understanding the requirements needed to migrate desktops, you can install the ADMT agent easily and remotely.

The following sections review the key elements involved with migrating a desktop and common permissions you need to avoid a failed migration.

Knowing Desktop Migration Requirements

Before migrating desktops to Active Directory, the account being used to migrate will require administrative permission to the local desktop administrator group and domain administrator group . This is required to perform certain functions, including changing the domain membership of the desktop on the domain controller and installing the desktop migration agent on the local desktop.

Local Desktop Permissions

A local group is a desktop system account that is strictly prohibited to the individual desktop and is used to grant permissions and rights to the local computer. The local administrative group is the most privileged of the local groups and allows members access to all function of the local desktop such as services, installing software, and access profiles.

Unlike domain and global groups, which are managed at the domain level by the domain network administrator, local groups can only be managed at the local desktop and require administrative privileges to be changed locally to grant an account membership to this group.

Local administrative groups can host memberships to local user accounts, local groups, domain user's accounts, domain groups, and global groups.

Tips for Configuring Desktop Permission

Many times when migrating, the actual domain administrator account is used to perform all migration functions. Using this account, including adding it to the local administrative group of the desktop, can create network vulnerabilities and allow anyone with access to this account information on the local user's desktop.

Creating Desktop Migration Accounts

As a best practice, creating a separate account to migrate the desktops systems allows you the capability to control access to the local systems by simply disabling and enabling the account for migration or administrative purposes.

Create a desktop migration account on the target domain. This account will require membership to the domain administrative groups on the source and target domains in order for the administrator to be able to perform these migration functions.

Enhancing Security

To enhance security, the desktop migration account can be disabled when not migrating desktops.

Also the desktop administrative account password can be changed at any time without affecting any other domain administrator account functions.

Most importantly, this account can later be leveraged for administrative purposes. By enabling the desktop account, you can perform tasks at the local desktop level without requiring the domain administrator account to be used.


Tips for Configuring Desktop Permissions

One thing that often stops administrators from creating and using a desktop migration account is the task of deploying the account to the local desktop administrator group. There are several tips and tricks that can be used to add the desktop migration account to the local desktop administrator group without requiring the administrator to visit each individual desktop system.

Leveraging the Domain Administrators Group

One way to create the proper administrative permission required for migrating desktops is to simply add the desktop migration account that resides in the source domain to the domain administrators group in the target domain. Using this method will allow the Active Directory Migration Tool to perform the required functions; however, this will not provide local administrative rights to the desktop after it has been migrated to the target domain.

Using the Net Add User Command

The second method that can be leveraged to easily populate the desktop migration account to all domain desktops is to use the Net Add User command in the logon script in the Windows NT 4.0 source domain. By adding a single net add statement to the Windows NT 4.0 domain logon script, the desktop migration account can be added to the local administrators group on all desktops when users logon to the domain. Using this method will also leave the account membership intact even when the desktop has been migrated to active directory.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
SQL Tips & Techniques (Miscellaneous)
Oracle Developer Forms Techniques
Information Dashboard Design: The Effective Visual Communication of Data
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy