Migrating All User Accounts
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Begin the user account migration process by migrating all users. This enables you to translate local profiles and ensure that users continue to have the appropriate resource access following the migration.
Notes
Built-in accounts (such as Administrators, Users, and Power Users cannot be ADMT migration objects. Because built-in account SIDs are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a forest must be unique.
Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT migration objects
The ADMT user account migration process includes the following steps:
ADMT reads the attributes of the source user objects.
ADMT creates a new user object in the target domain and a new primary SID for the new user account.
ADMT adds the original SID of the user account to the SID history attribute of the new user account.
ADMT migrates the password for the user account.
If ADMT identifies global groups in the target domain that the migrated users belonged to in the source domain, the tool adds the users to the appropriate global groups in the target domain.
During the migration, audit events are logged in both the source and the target domains.
You can migrate user accounts by using the ADMT console, by using the ADMT command-line option, or by using a script.
To migrate user accounts by using the ADMT console
On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool, and then select User Account Migration Wizard.
Complete the User Account Migration Wizard by using the information in Table 11.10.
Table 11.10 Using the User Account Migration Wizard to Migrate User Accounts
Wizard Page Action Test or Make Changes
Click Migrate Now?.
Domain Selection
In the Source domain box, type or select the name of the source domain.
In the Target domain box, type or select the name of the target domain.
User Selection
Click Add.
In the Select Users dialog box, click all the user accounts, and then click Add. By default, the wizard migrates the accounts to the Users container. Click Do Not Migrate Passwords (use complex passwords).
Click OK.
Organizational Unit Selection
ADMT lists an OU here. Ensure that this is the correct target OU. If it is not correct, type the correct OU or click Browse.
In the Browse for Container dialog box, locate the target domain and OU, and then click OK.
Password Options
Click Do NotMigrate Passwords.
Click Complex Passwords.
Account Transition Options
Click Disable target accounts.
Click Enable source account.
Click the Migrate user SIDs to target domains check box.
User Account
Type the user name, password, and domainof a user account that has administrative credentials.
User Options
Click the Translate roaming profiles check box.
Click the Update user rights check box.
Clear the Migrate associated user groups check box.
Click Fix users’ group memberships.
Click the Do not rename accounts check box.
Object Property Exclusion
Clear the Exclude specific object properties from migration check box.
Naming Conflicts
Click Ignore conflicting accounts and don’t migrate.
Clear the Remove existing user rights check box.
Clear the Move replaced accounts to specific target Organizational Unit check box.
When the wizard has finished running, click View Log and review the migration log for any errors.
Open Active Directory Users and Computers and verify that the user accounts exist in the appropriate OU in the target domain.
To migrate user accounts by using the ADMT command-line option
On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type:
ADMT USER /N "user_name1" "user_name2" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" [parameters]
You can append parameters to the command as follows:
ADMT USER /N "user_name1" "user_name2" /SD:"source_domain" /TD:"target_domain" /TO:"target_OU" /MSS:YES TRP:YES /UUR:YES
Alternatively, you can include parameters in an option file that is specified at the command line as follows:
ADMT USER /N "user_name1" "user_name2" /O "option_file.txt"
Table 11.11 lists the common parameters used for migrating user accounts, along with the command-line parameter and option file equivalents.
Table 11.11 Common Parameters Used for User Migrations
Parameters Command-Line Syntax Option File Syntax Source domain
/SD:
"source_domain"SourceDomain=
"source_domain"Target domain
/TD:
"target_domain"TargetDomain=
"target_domain"Target OU location
/TO:
"target_OU"TargetOU=
"target_OU"Migrate SIDs
/MSS:YES
MigrateSIDs=YES
Do not rename accts
/RO:DONT
(default)RenameOption=DONT
Ignore conflicting accts and not migrate them
/CO:IGNORE
(default)ConflictOptions=IGNORE
Translate Roaming Profile
/TRP:YES
(default)TranslateRoamingProfile=YES
Update User Rights
/UUR:NO
UpdateUserRights=NO
Password Options
/PO:COMPLEX
PasswordOption=COMPLEX
Review the results that are displayed on the screen for any errors.
Open Active Directory Users and Computers and locate the target OU. Verify that the users exist in the target OU.
To migrate user accounts by using a script
Prepare a script that incorporates ADMT commands and options for migrating users by using the sample script shown in Listing 11.6.
Listing 11.6 Migrating All User Accounts Between Forests
<Job id=" MigratingAllUserAccountsBetweenForests" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objUserMigration ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objUserMigration = objMigration.CreateUserMigration ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" objMigration.SourceOu = " source container" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " target container" objMigration.PasswordOption = admtComplexPassword objMigration.ConflictOptions = admtIgnoreConflicting ' 'Specify user migration specific options. ' objUserMigration.MigrateSIDs = True objUserMigration.TranslateRoamingProfile = True objUserMigration.UpdateUserRights = True objUserMigration.FixGroupMembership = True objUserMigration.MigrateServiceAccounts = False ' 'Migrate specified user objects. ' objUserMigration.Migrate admtData, Array(" user name1" ," user name2" ) Set objUserMigration = Nothing Set objMigration = Nothing </Script> </Job>
For a sample script file to assist you in creating a script to migrate user accounts, see "Migrating All User Accounts Between Forests" (DSSREER_6.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating All User Accounts Between Forests" on the Web at https://www.microsoft.com/reskit).