ADMT has suddenly stopped migrating users successfully. It's happening for all user migrations.

Mike Morgan 41 Reputation points
2021-09-24T17:18:52.293+00:00

We have already looked at the "Account is sensitive and cannot be delegated" option and it is not selected. So, that's not the problem. ADMT was working just two weeks ago. We have applied CU21 to Exchange in the new domain recently if that might be relevant. Here's the ADMT log information:

[Settings Section]
Task: User Migration (341)
ADMT Console
User: OND\administrator
Computer: myworkstation.our.new.domain (myworkstation)
Domain: our.new.domain (OND)
OS: Windows 10 Enterprise 10.0 (19043)
Source Domain
Name: our.old.domain (OOD)
DC: OLDDC.our.old.doman (OLDDC)
OS: Windows Server 2008 R2 Enterprise 6.1 (7601) Service Pack 1
OU:
Target Domain
Name: our.new.domain (OND)
DC: newdc.our.new.domain (NEWDC)
OS: Windows Server 2016 Standard 10.0 (14393)
OU: LDAP://our.new.domain/OU=Users,OU=IT,OU=Departments,DC=our,DC=new,DC=domain
Intra-Forest: Yes
Update Rights: No
Translate Roaming Profiles: No
Fix group membership: Yes
Conflict Option: Ignore
Migrate groups: No
Migrate service accounts: Yes

[Object Migration Section]
2021-09-24 11:30:53 Starting Account Replicator.
2021-09-24 11:30:54 Removing CN=Test Mover (LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain) from the global groups it is a member of :
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=Technicians,OU=Groups,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=Computer Support Specialist Email,OU=Email,OU=IT,OU=Departments,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 Removed LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain from LDAP://OLDDC.our.old.doman/CN=Computer Support Specialist,OU=Groups,OU=IT,OU=Departments,DC=our,DC=old,DC=domain
2021-09-24 11:30:54 LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain is a member of LDAP://OLDDC.our.old.doman/CN=APP Users,OU=APP Users and Groups,OU=Vendors,OU=Departments,DC=our,DC=old,DC=domain.
2021-09-24 11:30:54 ERR2:7621 Failed to move source object 'CN=Test Mover'. Verify that the caller's account is not marked sensitive and therefore cannot be delegated. hr=0x8009030e No credentials are available in the security package
2021-09-24 11:30:54 Reestablishing group memberships for CN=Test Mover (LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain).
2021-09-24 11:30:54 Added LDAP://OLDDC.our.old.doman/CN=Test Mover,OU=Users,OU=IT,OU=Departments,DC=our,DC=old,DC=domain back to LDAP://newdc.our.new.domain/CN=Computer Support Specialist,OU=Groups,OU=IT,OU=Departments,DC=our,DC=old,DC=domain
2021-09-24 11:30:55 Operation completed.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,182 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,506 Reputation points
    2021-09-27T17:21:51.987+00:00

    Hello @Mike Morgan

    Then I would suspect for the account being part of a Protected Group, please check:

    https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users

    and:

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

    Hope this helps with your query,

    -----------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments