Service Account Identification
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Identify the member servers and domain controllers that run applications as services by using a service account. A service account is a user account created explicitly to provide a security context for these applications. The service account is a standard user account that is assigned the Log on as a service user right.
Note
- This step does not migrate the accounts but only identifies them for later migration. To identify service accounts, ADMT dispatches an agent to the server in the source domain that records the services that are running on that server.
ADMT includes these accounts in the list of service accounts identified as not running under Local System account. These accounts must be updated on the computer after the migration of the accounts.
When service accounts are migrated later by means of the User Account Migration Wizard, ADMT makes the proper changes on the member server. If the service account is assigned rights by means of a group membership, you must also run the Security Translation Wizard to update the user rights and group memberships of the service account. For more information about migrating service accounts, see "Transitioning Service Accounts" later in this chapter.
You can identify service accounts by using the ADMT console, by using the ADMT command-line option, or by using a script.
To identify service accounts by using the ADMT console
On the domain controller on which ADMT is installed, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool console, and then select Service Account Migration Wizard.
Complete the Service Account Migration Wizard by using the information in Table 10.4.
Table 10.4 Using the Service Account Migration Wizard
Wizard Page Action Domain Selection
In the Source domain box, type or select the NetBIOS name of the source domain.
In the Target domain box, type or select the NetBIOS or DNS name of the target domain.
Update Information
Select Yes, update the information.
Service Account Selection
Click Add.
In the Select Computers list box, select the names of all servers that have service accounts.
Click OK, and then click Next.
Service Account Information
Select any user accounts that do not need to be marked as service accounts in the ADMT database, and click Skip/Include to mark them as Skip.
When the wizard has finished running on all computers, on the Server List page, click View Log. The log contains information about why the wizard did not succeed on any computers. For example, invalid permissions cause the wizard to not succeed.
To identify service accounts by using the ADMT console
On the domain controller on which ADMT is installed, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool console, and then select Service Account Migration Wizard.
Complete the Service Account Migration Wizard by using the information in Table 10.4.
Table 10.4 Using the Service Account Migration Wizard
Wizard Page Action Domain Selection
In the Source domain box, type or select the NetBIOS name of the source domain.
In the Target domain box, type or select the NetBIOS or DNS name of the target domain.
Update Information
Select Yes, update the information.
Service Account Selection
Click Add.
In the Select Computers list box, select the names of all servers that have service accounts.
Click OK, and then click Next.
Service Account Information
Select any user accounts that do not need to be marked as service accounts in the ADMT database, and click Skip/Include to mark them as Skip.
When the wizard has finished running on all computers, on the Server List page, click View Log. The log contains information about why the wizard did not succeed on any computers. For example, invalid permissions cause the wizard to not succeed.
To identify service accounts by using the ADMT command-line option
On a domain controller in the target domain on which ADMT installed, log on by using the ADMT account migration account.
At the command line, type:
ADMT SERVICE /N “computer_name1” “computer_name2” [parameters]Computer_name1 andcomputer_name2 are the names of computers in the source domain that run service accounts. You can append parameters to the command as follows:
ADMT SERVICE /N “computer_name1” “computer_name2” /SD:”source_domain” /TD:”target_domain”Alternatively, you can include parameters in an options file that is specified on the command line as follows:
ADMT SERVICE /N “computer_name1” “computer_name2” /O:“option_file.txt”Table 10.5 lists the parameters required for the identification of service accounts, along with the command-line parameter and option file equivalents.
Table 10.5 Parameters Required for Service Account Identification
Parameters Command-Line Syntax Option File Syntax Source domain
/SD:"source_domain"SourceDomain="source_domain"
Target domain
/TD:"target_domain"TargetDomain="target_domain"
Review the results that are displayed on the screen for any errors.
To identify service accounts by using a script
Prepare a script that incorporates ADMT commands and options for identifying service accounts by using the sample script shown in Listing 10.3.
Listing 10.3 Identifying Service Accounts
<Job id=" IdentifyingServiceAccounts" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objServiceAccountEnumeration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objServiceAccountEnumeration = _ objMigration.CreateServiceAccountEnumeration ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" ' 'Enumerate service accounts on specified computers. ' objServiceAccountEnumeration.Enumerate admtData, _ Array(" computer name1" ," computer name2" ) Set objServiceAccountEnumeration = Nothing Set objMigration = Nothing </Script> </Job>For a script file to assist you in creating a script to identify service accounts, see "Identifying Service Accounts" (DSSRENT_5.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Identifying Service Accounts" on the Web at https://www.microsoft.com/reskit).