Migrating All User Accounts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Begin the user account migration process by migrating all users. This enables you to translate local profiles and ensure that users continue to have the appropriate resource access following the migration.

Notes

  • Built-in accounts (such as Administrators, Users, and Power Users cannot be ADMT migration objects. Because built-in account SIDs are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a forest must be unique.

  • Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT migration objects

The ADMT user account migration process includes the following steps:

  1. ADMT reads the attributes of the source user objects.

  2. ADMT creates a new user object in the target domain and a new primary SID for the new user account.

  3. ADMT adds the original SID of the user account to the SID history attribute of the new user account.

  4. ADMT migrates the password for the user account.

  5. If ADMT identifies global groups in the target domain that the migrated users belonged to in the source domain, the tool adds the users to the appropriate global groups in the target domain.

During the migration, audit events are logged in both the source and the target domains.

You can migrate user accounts by using the ADMT console, by using the ADMT command-line option, or by using a script.

To migrate user accounts by using the ADMT console

  1. On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT account migration account.

  2. Open the Active Directory Migration Tool, and then select User Account Migration Wizard.

  3. Complete the User Account Migration Wizard by using the information in Table 11.10.

    Table 11.10   Using the User Account Migration Wizard to Migrate User Accounts

    Wizard Page Action

    Test or Make Changes

    Click Migrate Now?.

    Domain Selection

    In the Source domain box, type or select the name of the source domain.

    In the Target domain box, type or select the name of the target domain.

    User Selection

    Click Add.

    In the Select Users dialog box, click all the user accounts, and then click Add. By default, the wizard migrates the accounts to the Users container. Click Do Not Migrate Passwords (use complex passwords).

    Click OK.

    Organizational Unit Selection

    ADMT lists an OU here. Ensure that this is the correct target OU. If it is not correct, type the correct OU or click Browse.

    In the Browse for Container dialog box, locate the target domain and OU, and then click OK.

    Password Options

    Click Do NotMigrate Passwords.

    Click Complex Passwords.

    Account Transition Options

    Click Disable target accounts.

    Click Enable source account.

    Click the Migrate user SIDs to target domains check box.

    User Account

    Type the user name, password, and domainof a user account that has administrative credentials.

    User Options

    Click the Translate roaming profiles check box.

    Click the Update user rights check box.

    Clear the Migrate associated user groups check box.

    Click Fix users’ group memberships.

    Click the Do not rename accounts check box.

    Object Property Exclusion

    Clear the Exclude specific object properties from migration check box.

    Naming Conflicts

    Click Ignore conflicting accounts and don’t migrate.

    Clear the Remove existing user rights check box.

    Clear the Move replaced accounts to specific target Organizational Unit check box.

  4. When the wizard has finished running, click View Log and review the migration log for any errors.

  5. Open Active Directory Users and Computers and verify that the user accounts exist in the appropriate OU in the target domain.

To migrate user accounts by using the ADMT command-line option

  1. On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type:

    ADMT USER /N "user_name1" "user_name2"  /SD:"source_domain"  /TD:"target_domain"  /TO:"target_OU"  [parameters]

    You can append parameters to the command as follows:

    ADMT USER /N "user_name1" "user_name2"  /SD:"source_domain"  /TD:"target_domain"  /TO:"target_OU" /MSS:YES TRP:YES /UUR:YES

    Alternatively, you can include parameters in an option file that is specified at the command line as follows:

    ADMT USER /N "user_name1" "user_name2" /O "option_file.txt"

    Table 11.11 lists the common parameters used for migrating user accounts, along with the command-line parameter and option file equivalents.

    Table 11.11   Common Parameters Used for User Migrations

    Parameters Command-Line Syntax Option File Syntax

    Source domain

    /SD:"source_domain"

    SourceDomain="source_domain"

    Target domain

    /TD:"target_domain"

    TargetDomain="target_domain"

    Target OU location

    /TO:"target_OU"

    TargetOU="target_OU"

    Migrate SIDs

    /MSS:YES

    MigrateSIDs=YES

    Do not rename accts

    /RO:DONT (default)

    RenameOption=DONT

    Ignore conflicting accts and not migrate them

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

    Translate Roaming Profile

    /TRP:YES (default)

    TranslateRoamingProfile=YES

    Update User Rights

    /UUR:NO

    UpdateUserRights=NO

    Password Options

    /PO:COMPLEX

    PasswordOption=COMPLEX

  3. Review the results that are displayed on the screen for any errors.

  4. Open Active Directory Users and Computers and locate the target OU. Verify that the users exist in the target OU.

To migrate user accounts by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating users by using the sample script shown in Listing 11.6.

    Listing 11.6   Migrating All User Accounts Between Forests

    <Job id=" MigratingAllUserAccountsBetweenForests" >
<Script language=" VBScript"  src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
   Option Explicit

   Dim objMigration
   Dim objUserMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject(" ADMT.Migration" )
   Set objUserMigration = objMigration.CreateUserMigration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = " source domain"
   objMigration.SourceOu = " source container"
   objMigration.TargetDomain = " target domain"
   objMigration.TargetOu = " target container"
   objMigration.PasswordOption = admtComplexPassword
   objMigration.ConflictOptions = admtIgnoreConflicting

   '
   'Specify user migration specific options.
   '

   objUserMigration.MigrateSIDs = True
   objUserMigration.TranslateRoamingProfile = True
   objUserMigration.UpdateUserRights = True
   objUserMigration.FixGroupMembership = True
   objUserMigration.MigrateServiceAccounts = False

   '
   'Migrate specified user objects.
   '

   objUserMigration.Migrate admtData, Array(" user name1" ," user name2" )

   Set objUserMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>

    For a sample script file to assist you in creating a script to migrate user accounts, see "Migrating All User Accounts Between Forests" (DSSREER_6.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating All User Accounts Between Forests" on the Web at https://www.microsoft.com/reskit).