Hello @Mike Morgan
Then I would suspect for the account being part of a Protected Group, please check:
and:
Hope this helps with your query,
-----------------
--If the reply is helpful, please Upvote and Accept as answer--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have already looked at the "Account is sensitive and cannot be delegated" option and it is not selected. So, that's not the problem. ADMT was working just two weeks ago. We have applied CU21 to Exchange in the new domain recently if that might be relevant. Here's the ADMT log information:
[Settings Section]
Task: User Migration (341)
ADMT Console
User: OND\administrator
Computer: myworkstation.our.new.domain (myworkstation)
Domain: our.new.domain (OND)
OS: Windows 10 Enterprise 10.0 (19043)
Source Domain
Name: our.old.domain (OOD)
DC: OLDDC.our.old.doman (OLDDC)
OS: Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
OU:
Target Domain
Name: our.new.domain (OND)
DC: newdc.our.new.domain (NEWDC)
OS: Windows Server 2016 Standard 10.0 (14393)
OU: LDAP://our.new.domain/OU=Users,OU=IT,OU=Departments,DC=our,DC=new,DC=domain
Intra-Forest: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: No
Migrate service accounts: Yes
[Object Migration Section]
2021-09-24 11:30:53 Starting Account Replicator.
2021-09-24 11:30:54 Removing CN=Test Mover (LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain) from the global groups it is a member of :
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=Technicians,OU=Groups,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=Computer Support Specialist Email,OU=Email,OU=IT,OU=Departments,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 Removed LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain from LDAP://OLDDC.our.old.doman/CN=Computer Support Specialist,OU=Groups,OU=IT,OU=Departments,DC=our,DC=old,DC=domain
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=APP Users,OU=APP Users and Groups,OU=Vendors,OU=Departments,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 ERR2:7621 Failed to move source object 'CN=Test Mover'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package
2021-09-24 11:30:54 Reestablishing group memberships for CN=Test Mover (LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain).
2021-09-24 11:30:54 Added LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain back to LDAP://newdc.our.new.domain/CN=Computer Support Specialist,OU=Groups,OU=IT,OU=Departments,DC=our,DC=old,DC=domain
2021-09-24 11:30:55 Operation completed.
Hello @Mike Morgan
Then I would suspect for the account being part of a Protected Group, please check:
and:
Hope this helps with your query,
-----------------
--If the reply is helpful, please Upvote and Accept as answer--