When migrating user or group objects with ADMT, one of the options is to update the user rights for the migrated objects. For me the ADMT help or migration guide have always been pretty unclear what this option in fact does.
If you grant a group or user user rights assignments like “act as part of the operating system” or “impersonate a client after logon” on the domain controllers in the source domain, then “update user rights” option in ADMT will ensure the migrated object will get these user rights assignments as well.
Picture of the source security policy on a DC:
The ADMT migration log saying that the privileges where granted. The seTcbPrivilege means “trusted computing base” privilege and is in fact “act as part of the operating system”.
And in the security policy of a domain controller in the target domain:
This is an option which I would rather not check during migrations. If some of the users or groups require these kind of privileges, I would set them by hand afterwards.