Create Migration Account Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To migrate accounts and resources within a forest, you must establish an account migration group and a resource migration group with the appropriate credentials. You must then add the accounts that will be performing the ADMT migrations to the account migration and resource migration groups, as appropriate. Because ADMT requires only a limited set of permissions, creating separate migration groups allows you to simplify administration by creating the groups, assigning the appropriate permissions, and then adding the necessary administrators to those groups. If the migration tasks for your organization are distributed across more than one administrative group, create separate migration groups for each administrative group that performs the migration.

To simplify administration, create a single migration group in the source domain and a single migration group in the target domain for all objects. Assign the required permissions to modify objects such as users, global groups, and local profiles according to Table 12.4. The user who is running ADMT must be an administrator on the computer where ADMT is installed.

In the target domain, use a group with delegated control of the computer OU and the user OU. You might want to use a separate group for the migration of workstations if this migration process is delegated to administrators who are in the same location as the workstations.

Use the information in Table 12.4 to determine the credentials that are required for your migration.

Table 12.4   Migration Account Group Credentials