Transitioning Service Accounts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Begin the process of migrating objects by transitioning the service accounts that you selected when you identified service accounts. For more information about identifying service accounts, see "Service Account Identification" earlier in this chapter.

To transition service accounts, use ADMT to complete the following tasks:

  • Migrate the service accounts from the Windows NT 4.0 source account domain to the target domain.

  • Modify the services on each server in the source domain to use the service account in the target domain in place of the service account in the Windows NT 4.0 source account domain.

Note

  • This process only updates the Log on as a service right. If a service account has local rights based on its membership in a local group, then you must update these rights by running the Security Translation Wizard.

You can transition service accounts by using the ADMT console, by using the ADMT command-line option, or by using a script.

To transition service accounts by using the ADMT console

  1. On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. Open the Active Directory Migration Tool console, and select User Account Migration Wizard.

  3. Complete the User Account Migration Wizard by using the information provided in Table 10.6.

    Table 10.6   Using the User Account Migration to Transition Service Accounts

    Wizard Page Action

    Test or Make Changes

    Click Migrate Now?

    Domain Selection

    In the Source domain box, type or select the name of the source domain.

    In the Target domain box, type or select the name of the target domain.

    User Selection

    Click Add.

    In the Select Users dialog box, select all of the service accounts that were identified by the Service Account Migration Wizard, and then click Add.

    Click OK.

    Organizational Unit Selection

    Click Browse.

    In the Browse for Container dialog box, navigate to the target domain and select the container for the service accounts, and then click OK.

    Password Options

    Click Complex passwords.

    Account Transition Options

    Click Enable target accounts.

    Select the Migrate user SIDs to target domains check box.

    User Account

    Type the user name, password, and domain of a user account that has administrative credentials.

    User Options

    Select the Update user rights check box.

    Make sure that Do Not Rename Accounts is selected.

    Ensure that no other settings are selected, including the Migrate associated user groups option.

    Naming Conflicts

    Select Ignore conflicting accounts.

    Service Account Information

    Select Migrate all service accounts and update SCM for items marked include. If you are also migrating other user accounts that are not service accounts, this wizard page tells you that you have selected some accounts that are marked as service accounts in the ADMT database. By default, the accounts are marked as Include. To change the status of the account, select the account, and then click the Skip/Include button.

    Click Next to migrate the accounts.

  4. When the wizard has finished running, click View Log, and then review the migration log for any errors.

  5. Start Active Directory Users and Computers, navigate to the OU that you created for service accounts, and then verify that the service accounts exist in the target domain OU.

  6. Confirm that each application for which the service account was relocated continues to function correctly.

To transition service accounts by using the ADMT command-line option

  1. On a domain controller in the target domain on which ADMT installed, log on by using the ADMT account migration account.

  2. At the command line, type:

    ADMT USER /N “user_name1” “user _name2” [parameters]

    You can append parameters to the command as follows:

    ADMT USER /N “user _name1” “user _name2” /SD:”source_domain” /TD:”target_domain” /TO:”target_OU” /MSS:YES/UUR:YES

    Alternatively, you can include parameters in an option file that is specified on the command line as follows:

    ADMT USER /N “user_name1” “user_name2” /O:“option_file.txt”

    Table 10.7 lists the parameters required for transitioning service accounts, along with the command-line parameter and option file equivalents.

    Table 10.7   Parameters Required for Transitioning Service Accounts

    Parameters Command-Line Syntax Option File Syntax

    Source domain

    /SD:"source_domain"

    SourceDomain="source_

    domain"

    Target domain

    /TD:"target_domain"

    TargetDomain="target_

    domain"

    Target OU location

    /TO:"target_OU"

    TargetOU="target_OU"

    Disable accounts

    /DOT:ENABLETARGET (default)

    DisableOption=ENABLETARGET

    (default)

    Migrate password

    /PO:COMPLEX (default)

    PasswordOption= COMPLEX

    Migrate user SIDs = YES

    /MSS:YES

    MigrateSIDs=YES

    Update user rights=YES

    /UUR:YES

    UpdateUserRights=YES

    Do not rename accounts

    /RO:DONT (default)

    RenameOption=DONT (default)

    Ignore conflicting accounts

    /CO:IGNORE (default)

    ConflictOptions=IGNORE (default)

  3. Review the results that are displayed on the screen for any errors.

  4. Start Active Directory Users and Computers and navigate to the target service account OU. Verify that the service accounts exist in the target domain OU.

  5. Confirm that each application for which the service account was relocated continues to function correctly.

To transition service accounts by using a script

  • Prepare a script that incorporates ADMT commands and options for transitioning service accounts by using the sample script shown in Listing 10.4.

    Listing 10.4   Transitioning Service Accounts

    <Job id=" TransitioningServiceAccountsNTSource" >
<Script language=" VBScript"  src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
   Option Explicit
   Dim objMigration
   Dim objUserMigration
   '
   'Create instance of ADMT migration objects.
   '
   Set objMigration = CreateObject(" ADMT.Migration" )
   Set objUserMigration = objMigration.CreateUserMigration
   '
   'Specify general migration options.
   '
   objMigration.SourceDomain = " source domain"
   objMigration.TargetDomain = " target domain"
   objMigration.TargetOu = " target container"
   objMigration.ConflictOptions = admtIgnoreConflicting
   '
   'Specify user migration specific options.
   '
   objUserMigration.DisableOption = admtEnableTarget
   objUserMigration.MigrateSIDs = True
   objUserMigration.UpdateUserRights = True
   objUserMigration.MigrateServiceAccounts = True

   '
   'Migrate specified service accounts.
   '
   objUserMigration.Migrate admtData, _
  Array(" service account name1" ," service account name2" )
   Set objUserMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>

    For a script file to assist you in creating a script to transition service accounts, see "Transitioning Service Accounts — Windows NT 4.0 Source" (DSSRENT_6.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Transitioning Service Accounts —Windows NT 4.0 Source" on the Web at https://www.microsoft.com/reskit).