Migrating Domain and Shared Local Groups
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
Shared local groups are local groups in Windows NT 4.0 and Active Directory domains that can be used in the access control lists (ACLs) on domain controllers. When a domain is configured to operate either in Windows 2000 native mode domain functional level or higher, shared local groups are automatically changed to domain local groups. These groups can then be used in ACLs on member servers and workstations. If domain local groups or shared local groups are used in ACLs on either domain controllers or member servers, you have to migrate them to the target domain before the server is migrated.
It is not necessary to change any ACLs as part of the migration process. The ACLs continue to reference the domain local groups or shared local groups in the source domain. Because the domain local groups or shared local groups can be migrated to the target domain while using security identifier (SID) history, users maintain access to the resources. ADMT retains the membership of the local group during the migration.
You can migrate domain or shared local groups by using the Active Directory Migration Tool (ADMT) snap-in or a script.
To migrate domain and shared local groups by using the ADMT snap-in
On the computer in the target domain on which you installed ADMT, log on by using the ADMT resource migration account.
Use the Group Account Migration Wizard by performing the steps in the following table.
Wizard page Action Domain Selection
Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Group Selection
Click Select groups from domain, and then click Next. On the Group Selection page, click Add to select the groups in the source domain that you want to migrate, click OK, and then click Next.
Or
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Organizational Unit Selection
Type the name of the organizational unit (OU), or click Browse.
In the Browse for Container dialog box, find the container in the target domain that you want to move the global groups into, and then click OK.
Group Options
Select the Migrate Group SIDs to target domain check box.
Ensure that all other options are not selected.
User Account
Type the user name, password, and domain of an account that has administrative rights in the source domain.
Object Property Exclusion
Clear the Exclude specific object properties from migration check box.
Conflict Management
Select the Migrate and merge conflicting objects check box. (All other options are cleared.)
When the wizard has finished running, click View Log. Review the migration log for any errors.
Open Active Directory Users and Computers, locate the target organizational unit (OU), and then verify that the shared local groups exist in the target domain OU.
To migrate domain and shared local groups by using a script
Prepare a script that incorporates ADMT commands and options for migrating domain and shared local groups by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" MigratingDomainAndSharedLocalGroupsBetweenForests" > <Script language="VBScript" src="AdmtConstants.vbs" /> <Script language="VBScript" > Option Explicit Dim objMigration Dim objGroupMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject("ADMT.Migration" ) Set objGroupMigration = objMigration.CreateGroupMigration ' 'Specify general migration options. ' objMigration.SourceDomain = "source domain" objMigration.SourceOu = "source container" objMigration.TargetDomain = "target domain" objMigration.TargetOu = "target container" ' 'Specify group migration specific options. ' objGroupMigration.MigrateSIDs = True ' 'Migrate specified group objects. ' objGroupMigration.Migrate admtData, _ Array("local group name1" ,"local group name2" ) Set objGroupMigration = Nothing Set objMigration = Nothing </Script> </Job>