Plan for Group Migration
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Unless you can identify closed sets when you are restructuring Active Directory domains within a forest, it is recommended that you migrate groups and users separately to ensure that users continue to have access to required resources.
Table 12.1 lists each type of group and where the group is physically located.
Table 12.1 Location of Each Group Type
| Group Type | Location |
|---|---|
Global Group |
Active Directory |
Universal Group |
Active Directory |
Domain Local Group |
Active Directory |
Computer Local Group |
Database of the local computer |
Each type of group is migrated differently based on the group’s physical location and its rules for group membership. Global, universal, and domain local groups are migrated by using ADMT and can be transformed into universal groups for the duration of the migration if you are not migrating closed sets. You can update computer local group membership by running security translation.
Each group type has different rules for membership and serves a different purpose. This affects the order that the groups are migrated from the source to the target domains. Table 12.2 summarizes the groups and their membership rules.
Table 12.2 Groups and Membership Rules
| Type of Group | Rules and Membership |
|---|---|
Universal groups |
Universal groups can contain members from any domain in the forest and replicate group membership to the global catalog. For this reason, they can be used for administrative groups. When you restructure domains, migrate universal groups first. |
Global groups |
Global groups can include only members from the domain to which they belong. ADMT automatically changes the global group in the source domain to a universal group when it is migrated to the target domain if the functional level of both domains is Windows 2000 native or higher. ADMT automatically changes universal groups back to global groups after all members of the group are migrated to the target domain. |
Domain local groups |
Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the group type to universal group. This minimizes the disruption in user access to resources. |