Migrating Domain and Shared Local Groups

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Shared local groups are local groups in Windows NT 4.0 and Active Directory domains that can be used in ACLs on domain controllers. When a domain is configured to operate either in Windows 2000 native mode or at the Windows Server 2003 domain functional level, shared local groups are automatically changed to domain local groups. These groups can then be used in ACLs on member servers and workstations. If either domain local groups or shared local groups are used in ACLs on either domain controllers or member servers, then they need to be migrated to the target domain before the server is migrated.

Note that it is not necessary to change any ACLs as part of the migration process. The ACLs continue to reference the domain local groups or shared local groups in the source domain. Because the domain local groups or shared local groups can be migrated to the target domain while using SID history, users maintain access to the resources. ADMT retains the membership of the local group during the migration.

You can migrate domain or shared local groups by using the ADMT console or by using a script.

To migrate domain and shared local groups by using the ADMT console

  1. On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT resource migration account.

  2. Open the Active Directory Migration Tool, and then select Group Account Migration Wizard.

  3. Complete the Group Account Migration Wizard by using the information in Table 11.34.

    Table 11.34   Using the Group Account Migration Wizard to Migrate Domain and Shared Local Groups

    Wizard Page Action

    Test or Make Changes

    Click Migrate Now?

    Domain Selection

    In the Source domain box, type the NetBIOS or DNS name of the source domain or select the name from a list.

    In the Target domain box, type the NetBIOS or DNS name of the target domain.

    Group Selection

    Click Add.

    In the Select Groups dialog box, select all domain and shared local groups that you need to migrate (except built-in groups), click Add, and then click OK.

    Organizational Unit Selection

    Type the name of the OU or click Browse.

    In the Browse for Container dialog box, locate the container in the target domain to which the local groups are migrating, and then click OK.

    Group Options

    Click Migrate Group SIDs to target domain.

    Click Do not rename accounts

    Ensure that all other options are not selected.

    User Account

    Type the user name, password, and domainof an account that has administrative rights in the source domain.

    Naming Conflicts

    Click Ignore conflicting accounts and don’t migrate.

  4. When the wizard has finished running, click View Log. Review the migration log for any errors.

  5. Open Active Directory Users and Computers, locate the target OU, and then verify that the shared local groups exist in the target domain OU.

To migrate domain and shared local groups by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating domain and shared local groups by using the sample script shown in Listing 11.15.

    Listing 11.15   Migrating Domain and Shared Local Groups Between Forests

    <Job id=" MigratingDomainAndSharedLocalGroupsBetweenForests" >
<Script language=" VBScript"  src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
   Option Explicit

   Dim objMigration
   Dim objGroupMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject(" ADMT.Migration" )
   Set objGroupMigration = objMigration.CreateGroupMigration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = " source domain"
   objMigration.SourceOu = " source container"
   objMigration.TargetDomain = " target domain"
   objMigration.TargetOu = " target container"

   '
   'Specify group migration specific options.
   '

   objGroupMigration.MigrateSIDs = True

   '
   'Migrate specified group objects.
   '

   objGroupMigration.Migrate admtData, _
  Array(" local group name1" ," local group name2" )

   Set objGroupMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>

    For a script file to assist you in creating a script to migrate domain and shared local groups, see "Migrating Domain and Shared Local Groups Between Forests" (DSSREER_15.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Domain and Shared Local Groups Between Forests" on the Web at https://www.microsoft.com/reskit).