Domain – How to move a user account to another domain in the forest, whilst preserving permissions

You can place the users from the "parent" domain into a global group in the parent domain, then nest that global group into the "Administrators" domain local group in the "child" domain. That will give you the functionality you're looking for (assuming a stock set of AD permissions on the child domain). "Administrators" gets named with the same rights as "Domain Admins" in all the permissions on the AD.

As far as permissions on shares and such that you've created-- that's your problem. >smile<

Edit:

The "BUILTIN\Administrators" group in the child domain does have the same rights to Active Directory as the "Domain Admins" group in the Active Directory. You're not talking about rights to Active Directory in your comment-- you're talking about a default group nesting that gets performed on the Local Users and Groups on member computers. The kind of thing you commented on is what I mean when I said "that's your problem". It's an easy one to fix, too.

This is a job for "Restricted Groups" policy!

So, let's say that you want to modify the behaviour of the local "Administrators" group nesting domain-wide in the child domain.

• Create and link a GPO at the root of the child domain (actually, link it to a sub-OU with a test computer in it first, then when you know it's working, link it to the root of the domain).
• In that GPO, open "Computer Settings", then "Windows Settings", "Security Settings", and "Restricted Groups".
• Right-click "Restricted Groups" and do an "Add Group".
• Click "Browse" in the "Add Group" dialog, key in "Administrators" (not "Domain Admins" or anything else), and click "Check Name" and "OK". Click "OK" to dismiss the "Add Group" dialog.
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box.
• Click "Browse" in the "Add Member" dialog and key in "Domain Admins" and click "Check Name" and "OK". In the "Add Member" dialog, you'll see "CHILDDOMAINNETBIOSNAME\Domain Admins" listed. Click "OK".
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box again.
• Click "Browse" in the "Add Member" dialog and key in the name of the global group in the parent domain that you created to hold users who are getting "Administrator" rights in the child domain. Before you click "Check Name", click "Locations" and choose your parent domain in the "Locations" dialog and click "OK". Then click "Check Name" and "OK". In the "Add Member" dialog, you'll see "PARENTDOMAINNETBIOSNAME\Group name you created" listed. Click "OK".

When this GPO applies to computers, their local "Administrators" group will get the groups "CHILDDOMAINNETBIOSNAME\Domain Admins" and "PARENTDOMAINNETBIOSNAME\Group name you created" nested into it automatically.

Here's a rundown of what I did:

• Spun up a W2K3 R2 Std. Edition x86 SP2 VM with an Active Directory domain.

• Created a "Profiles" shared folder on the server VM. Shared with "Everyone / Full Control" share permissions, and set the NTFS to "Administrators - Full Control", "SYSTEM - Full Control", and "Authenticated Users - Read and Execute - This folder only".

• Created a "Sales" subfolder of that "Profiles" folder.

• Created a domain local group called "Sales (Local)" and a global group called "Sales (Global)".

• Created two user accounts - "John" and "Mary". Left their default "Domain Users" group membership intact and added them as members to the "Sales (Global)" group.

• Logged-on to a Windows XP Professional Service Pack 3 VM as "john" and created a new local profile. Set the desktop color to red (for quick visual indication of the loading of that profile) and logged-off.

• Logged-on to the WinXP machine as the domain Administrator account and used the "User Profiles" functionality in the properties of "My Computer" to copy the newly-created "john" user profile to the "Profiles" share on the server computer, granting "Sales (Local)" the "Permitted to use" permission.

• Back on the server computer I modified the security of the "Sales" subfolder of the "Profiles" folder to inherit permission from the parent folder and added "Sales (Local) - Read and Execute". I re-applied that permission to all subfolders.

• I renamed the "NTUSER.DAT" file in the "\Profiles\Sales" folder to "NTUSER.MAN".

• I modified the properties of the "John" and "Mary" user accounts to specify a roaming user profile at "\SERVER\Profiles\Sales".

• I logged-on to the Windows XP machine as "Mary" (who had never been logged-on before) and verified that I received the red desktop background. I modified the desktop background color, logged-off, logged-on again, and verified that the red desktop color persisted (meaning that the mandatory user profile was applying).

• I logged-on as "John" and performed the same verification steps as with "Mary".

Everything worked as I expected by specifying "Sales (Local)" in all permissions. I'm at a loss as to tell you what might be different about what you did. What do you see that I did differently?