Translating Security in Add Mode
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Translate security on servers to add the SIDs of the user and group accounts in the target domain to the ACLs of the resources. After objects are migrated to the target domain, the objects contain the ACL entries from both the source and the target domains. Use the Security Translation Wizard in ADMT to add the target domain SIDs from the migrated objects. Run the Security Translation Wizard on all files, shares, printers, local groups, and at least one domain controller (to translate security on shared local groups).
You can translate security in add mode on objects by using the ADMT console, by using the ADMT command-line option, or by using a script.
To translate security in add mode on objects by using the ADMT console
On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT account migration account.
Open the Active Directory Migration Tool, and then select Security Translation Wizard.
Complete the Security Translation Wizard by using the information in Table 11.22.
Table 11.22 Using the ADMT Security Translation Wizard in Add Mode
Wizard Page Action Test or Make Changes
Click Migrate Now?
Security Translation Options
Click Previously migrated objects.
Domain Selection
In the Source domain box, type or select the name of the source account domain.
In the Target domain box, type or select the name of the target domain.
Translate Objects
Clear the User Profiles check box.
Select all other check boxes.
Security Translation Options
Click Add.
To translate security in add mode on objects by using a script
Prepare a script that incorporates ADMT commands and options for translating security in add mode on objects by using the sample script shown in Listing 11.11.
Listing 11.11 Translating Security in Add Mode on Objects Between Forests
<Job id=" TranslatingSecurityInAddModeOnObjectsBetweenForests" > <Script language=" VBScript" src=" AdmtConstants.vbs" /> <Script language=" VBScript" > Option Explicit Dim objMigration Dim objSecurityTranslation ' 'Create instance of ADMT migration objects. ' Set objMigration = CreateObject(" ADMT.Migration" ) Set objSecurityTranslation = objMigration.CreateSecurityTranslation ' 'Specify general migration options. ' objMigration.SourceDomain = " source domain" objMigration.TargetDomain = " target domain" objMigration.TargetOu = " Computers" ' 'Specify security translation specific options. ' objSecurityTranslation.TranslationOption = admtTranslateAdd objSecurityTranslation.TranslateFilesAndFolders = True objSecurityTranslation.TranslateLocalGroups = True objSecurityTranslation.TranslatePrinters = True objSecurityTranslation.TranslateRegistry = True objSecurityTranslation.TranslateShares = True objSecurityTranslation.TranslateUserProfiles = False objSecurityTranslation.TranslateUserRights = True ' 'Perform security translation on specified computer objects. ' objSecurityTranslation.Translate admtData, _ Array(" computer name1" ," computer name2" ) Set objSecurityTranslation = Nothing Set objMigration = Nothing </Script> </Job>
For a sample script file to assist you in creating a script to translate security in add mode on objects, see "Translating Security in Add Mode on Objects Between Forests" (DSSREER_11.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Translating Security in Add Mode on Objects Between Forests" on the Web at https://www.microsoft.com/reskit).