And actually, Omar you triggered something for me. I think it's a good idea, when removing computers from one domain and moving them to another, to first remove the GP settings that currently apply to them before joining the new domain. There's probably several ways to do that but maybe the the easiest is to create an OU in the domain you are retiring and block inheritance on it for all GP settings. Then move computer accounts in there and let them process policy to remove any unwanted settings. Then, move the computer accounts. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: Tuesday, January 08, 2008 2:49 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: AD Consolidation Dave, Since you posted on the GP list: One big thing to keep in mind that when transitioning computer and user accounts between domains the end users and workstations will now have the new domain's group policies applied to them. Make sure before you migrate the user and computer accounts that you create and link the GPOs that you want applied to those objects on the OU's that will be used for the destination domain objects. If you are using ADMT 3.0- you will need to make sure that on the source domain and destination domain OUs that you set the correct Windows Firewall settings using GPOs or if you are using a 3rd party FW on the workstations or servers that are migrating- that the ADMT computer migration and security translation tool can communicate with the machines before and after migration otherwise all your results will be "FAILED" I have done domain consolidations within a single or between separate forests many times and there are many gotchas- and GPO application and delegation of administration(which it appears you are after) are usually the 1st thing that breaks- Do let this happen to you- take the time to lab the whole thing up. If you need to hire an outside consulting firm-I know a real good-one :)- If you have any more questions- feel free to contact me offline using my email address. Omar _____ From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia Sent: Tue 1/8/2008 1:47 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: AD Consolidation Dave- Since this is probably more of an AD issue than a Group Policy issue (which this list is focused on) I might suggest you post this on the activedir.org mailing list as well, as you are likely to get some responses from folks who have done a lot of this kind of migration. However, I think the bottom-line is the answer will be driven by the OU administrators' business needs. If they need to be able to create users and computers, create and link GPOs, create groups, etc. then you will likely have to make those OUs wide-open for them. But again, it depends upon what responsibilities they have, keeping in mind that access to domain controllers directly will be pretty limited for them. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Daniel Gomes Sent: Tuesday, January 08, 2008 1:38 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] AD Consolidation Hello all, We are at the beginning stages of doing an AD Consolidation. We are looking at consolidating two domains into one having one of the domains become an OU in the other. My question is if anyone has done this before what would you recommend as the best way about assigning rights to the OU of the domain to allow its old administrators to still manage the OU and its Sub OUs? Dave