I am doing an ADMT migration between Win 2003 & Win 2012 R2 domains in a cross forest environment.
I have only so far tested with a few test user accounts and groups and 1 workstation. Most all seems well except for one thing.
After completing the migration and the workstation is in the new forest / domain, I have noticed that I cannot use domain administrative accounts during a UAC elevation prompt to perform some management function. Reviewing this further I see that the
"<new domain>\Domain Admins" group is NOT a member of the machines Local Administrators group. If I disjoin and then rejoin the machine to the new domain, the "<new domain>\Domain Admins" group DOES become a member of
the machines Local Administrators group. Nothing is specified in group policy for this, so I do not know how this gets pushed to the workstation when a normal domain join is performed. I know could add the <new domain>\Domain Admins
group to GP"Restricted Groups", but the key question is why would this be necessary, as a normal joining a machine to the domain does this automatically?
P.S. I have seen another posting from 2011: https://social.technet.microsoft.com/Forums/en-US/c86c94eb-f700-4306-b8ad-30f8d56a3657/adding-domain-admins-of-new-domain-to-local-administrators-group-after-migration?forum=winserverMigration, which seems to describe the same issue, and while there are links to how to correct it (adding the target Domain Admins account to the Restricted Groups GPO), there is not an explanation on why this does not get resolved automatically during the migration process, as it does with normal domain join. I had added my question to that thread, but as of yet no one has replied, hence me posting as a new thread. My apologies for the duplicate post, but I felt it was necessary as it is 3 years later.
Thanks
LThibx