Migrate User Accounts

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Domains can include a large number of user accounts. To make the migration of user accounts manageable, use a technique called phased transitioning, by which you place your user accounts into smaller batches and migrate each of the smaller batches individually. You can group the users in any way that you prefer.

You cannot migrate every user property when you migrate user accounts. For example, data that is protected by the Data Protection API (DPAPI) is not migrated. DPAPI helps protect the following items:

  • Web page credentials (for example, passwords)

  • File share credentials

  • Private keys that are associated with EFS, Secure/Multipurpose Internet Mail Extensions (S/MIME), and other certificates

  • Program data that is protected by using the CryptProtectData() function

In addition, ADMT excludes some system attributes by design. For more information see Managing Users, Groups, and User Profiles.

For this reason, it is important to test user migrations. Use your test migration account to identify any properties that did not migrate, and update user configurations in the target domain accordingly.

If you are using Group Policy objects to manage software installation, remember that some Windows Installer files require access to the original source for certain operations, such as repair and uninstall. The administrator must reassign permissions to the software distribution point to provide access to any account.

To retain software distribution access, perform these tasks:

  1. Migrate users by using the Active Directory Migration Tool (ADMT).

  2. Run the Security Translation Wizard on the software distribution point.