I am doing an ADMT migration between Win 2003 & Win 2012 R2 domains in a cross forest environment.
I have only so far tested with a few test user accounts and groups and 1 workstation. Most all seems well except for one thing.
After completing the migration and the workstation is in the new forest / domain, I have noticed that I cannot use domain administrative accounts during a UAC elevation prompt to perform some management function.  Reviewing this further I see that the "<new domain>\Domain Admins" group is NOT a member of the machines Local Administrators group.  If I disjoin and then rejoin the machine to the new domain, the "<new domain>\Domain Admins" group DOES become a member of the machines Local Administrators group.   Nothing is specified in group policy for this, so I do not know how this gets pushed to the workstation when a normal domain join is performed.  I know could add the <new domain>\Domain Admins group to GP"Restricted  Groups", but the key question is why would this be necessary, as a normal joining a machine to the domain does this automatically?

P.S. I have seen another posting from 2011: https://social.technet.microsoft.com/Forums/en-US/c86c94eb-f700-4306-b8ad-30f8d56a3657/adding-domain-admins-of-new-domain-to-local-administrators-group-after-migration?forum=winserverMigration, which seems to describe the same issue, and while there are links to how to correct it (adding the target Domain Admins account to the Restricted Groups GPO), there is not an explanation on why this does not get resolved automatically during the migration process, as it does with normal domain join.   I had added my question to that thread, but as of yet no one has replied, hence me posting as a new thread. My apologies for the duplicate post, but I felt it was necessary as it is 3 years later.

Thanks
LThibx

Hi,

Thanks for your post.

It seems like the only way is using group policy.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/7df50312-37f2-45a3-927d-6209e973ed84/automatic-way-to-add-target-domain-admin-to-local-admin-group-on-all-source-computers?forum=winserverMigration

Regards.

I had hoped that Santhosh Sivarajan (http://portal.sivarajan.com) would pop in here and offer up his expertise.  He seems to be one of the go to guys in regards to these migrations. I tried emailing him on his website, but have not received a reply.  Not sure of the best method to get him to look at this thread.

LThibx

>>>Nothing is specified in group policy for this

By default, Domain Admins will be added to the Local Admin group. It is part of the default policy.

This is not a migration process or steps. It will get updated as part of normal GPO refresh.

Did you try to run GPUPDATE on this machine? Did you see any errors?

Santhosh,

Appreciate your input here.

Workstation's event log show successful processing of GPO objects each time after reboot or after GPUpdate.

I ran through the migration again (3rd time), with same results.  Steps performed

1. Joined workstation back to source domain.
2. In target domain removed computer account.
3. Ran thru ADMT migration steps (closely following MS ADMT guide):
   Migrate: Group, User, Security Translation, Computer, User, Group
   All steps completed normally.
4. Workstation is now in target domain.
   <target domain>\Domain Admins is NOT part of Local Administrators group.
5. I verify my GPO settings: I have a custom GPO at the domain level in the target, only settings are to turn firewall off during migration, set up a printer, and password options (length, duration).
6. I ran GPUpdate on the workstation many times, even rebooting multiple times, and I even disabled my custom GPO.
   No GP errors in the event log. <target domain>\Domain Admins group does NOT get added. 
7. Disjoin workstation from target domain, to workgroup. Reboot.
   
8. Join workstation to target domain. Reboot.
   <target domain>\Domain Admins IS NOW IN Local Administrators group.
   (This is with my custom GPO in place, which confirms it is not a factor).

Hope you have further insights to what could be causing this issue.

Thanks
LThibx

As I mentioned "adding domain admin" is not part of computer migration.  Computers have to receive this default policy settings from the domain.

But I agreed, it is wired.  I am not sure it is worth it to spend a lot of time on troubleshooting this issue. You can contact Microsoft support and they can review the settings, log file et.  If I were you and not seeing any other issue, I will go with a post-migration script to add group to local admin after the migration.

Hi,

I just want to confirm what is the current situation.

Please feel free to let us know if you need further assistance.

Regards.

I apologize for not replying soon.  Got distracted by other tasks.

I don't wholeheartedly agree with Sanhosh's statement that it is not a migration issue. It is a direct result of the migration.  And the face that I can correct it by a disjoin and subsequent rejoin, confirms that target policies are correct and not prohibiting the application of the settings.  In this case, it is not a large number of workstations to deal with.  I will simply do the disjoin / rejoin and ensure the process is complete.

I appreciate the feedback created in this thread, and shall mark Santhosh's post as the answer.

Thank you
LThibx

Hi LThibx,

I have exactly the same issue, after migration the target domain admins group is not member of the local administrators. If I rejoin the machine to the domain, the group is added automatically.

Did you find any solution to that issue ?

Thanks,

Cdric

Cedric,

No, unfortunately, I was never able to resolve this issue.  For each machine I migrated, I connected to it, disjoined it from the new domain to a workgroup, then rejoined it back to the same new domain.  At that point the new domain admins are in the local administrators group.  Luckily I only had  25 to 30 machines. Definitely would not want to have do this with more machines than that. I didn't feel that Santhosh's suggestion on using a script was good for me, because I felt that something was incorrect and I didn't want to start off in a new domain with machines that were not connected correctly.

I hope that you or someone else might find the solution.  I don't have any other migrations yet to do, but it would be good to know the answer. 

Good luck
LThibx

Probably a little too late for you Cedric but I believe I have found a fix for this problem.

I had the same issue occurring with my migrated machines not adding <target domain>\Domain Admins to the local administrator group. To fix this what I did was changed the GPO that I was using to push out <target domain>\Domain Admins via Restricted Groups to an alternate group in the target domain that included the ADMT Service account. After the policy took effect the Domain Admins group was added to migrated machines.

TL;DR

Do not push out <Target Domain>\Domain Admins through GPO Restricted Groups, push out an alternate Security Group which has the ADMT Service account in it.

Hope this helps..

Thanks,

Sash