Translating Security in Remove Mode
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Translate security on objects to remove the security identifiers (SIDs) of the accounts in the source domain from the access control lists (ACLs) of the migrated objects. Do this only after all of the source accounts are disabled. Run the Security Translation Wizard on all files, shared folders, printers, and local groups, and at least one domain controller (to translate security on shared local groups).
When you translate security in Remove mode, the SIDs in the source domain for the user are no longer present or available if the target user account has been migrated successfully and the SIDs are added there. This process enables administrative cleanup, and it ensures that users use their "new" target domain account and stop using the "old" source domain account.
You can translate security in Remove mode on objects by using the Active Directory Migration Tool (ADMT) snap-in, the ADMT command-line option, or a script.
To translate security in Remove mode on objects by using the ADMT snap-in
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
Use the Security Translation Wizard by following the steps in the following table.
Wizard page Action Security Translation Options
Click Previously migrated objects.
Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection
Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers for which you want to translate security, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Translate Objects
Clear the User Profiles check box.
Select all the other check boxes.
Security Translation Options
Click Remove.
To translate security in Remove mode on objects by using the ADMT command-line option
On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type the ADMT Security command with the appropriate parameters, and then press ENTER:
ADMT SECURITY /N "<computer_name1>" "<computer_name2>" /SD:" <source_domain>" /TD:" <target_domain>" /TO:" <target_OU>" /TOT:RemoveAs an alternative, you can include parameters in an option file that is specified at the command line, as follows:
ADMT SECURITY /N "<computer_name1>" "<computer_name2>" /O "<option_file>.txt"The following table lists the common parameters that are used for migrating user accounts, along with the command-line parameter and option file equivalents.
Parameters Command-line syntax Option file syntax <Source domain>
/SD:"source_domain"SourceDomain="source_domain"<Target domain>
/TD:"target_domain"TargetDomain="target_domain"Security translation options
/TOT:RemoveTranslateOption=REMOVEReview the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will have to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTaskID.log, and it is stored in the Windows\ADMT\Logs\Agents folder.
To translate security in Remove mode on objects by using a script
Prepare a script that incorporates ADMT commands and options for translating security in remove mode on objects by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" TranslatingSecurityInRemoveModeOnObjectsBetweenForests" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objSecurityTranslation ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objSecurityTranslation = objMigration.CreateSecurityTranslation ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "Computers" ' 'Specify security translation specific options. ' objSecurityTranslation.TranslationOption = admtTranslateRemove objSecurityTranslation.TranslateFilesAndFolders = True objSecurityTranslation.TranslateLocalGroups = True objSecurityTranslation.TranslatePrinters = True objSecurityTranslation.TranslateRegistry = True objSecurityTranslation.TranslateShares = True objSecurityTranslation.TranslateUserProfiles = False objSecurityTranslation.TranslateUserRights = True ' 'Perform security translation on specified computer objects. ' objSecurityTranslation.Translate admtData, _ Array("computer name1" ,"computer name2" ) Set objSecurityTranslation = Nothing Set objMigration = Nothing </Script> </Job>