Migrate Universal Groups

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Migrate universal groups, without migrating users who are members of these groups at the same time, from the source domain to the target domain. Migrating universal groups without the users helps to protect against the problem of open sets. SID history allows group members to continue to have access to resources based on universal group membership. When you migrate universal groups to the target domain, they cease to exist in the source domain.

Note

  • If you are migrating a small number of universal groups, you can migrate universal groups at the same time that you migrate global groups.

You can migrate universal groups by using the Group Account Migration Wizard or by using a script.

To migrate universal groups without members

  • Complete the Group Account Migration Wizard by using the information provided in Table 12.6.

    Table 12.6   Using the Group Account Migration Wizard to Migrate Universal Groups

    Wizard Page Action

    Test or Make Changes

    Click Migrate Now?

    Domain Selection

    In the Source domain box, type the NetBIOS or DNS name of the source domain or select the name from a list.

    In the Target domain box, type the NetBIOS or DNS name of the target domain.

    If ADMT includes the names of the source and target domains, ensure that they are correct.

    Group Selection

    Click Add.

    In the Select Groups dialog box, select all universal groups that you want to migrate, click Add, and then click OK.

    Organizational Unit Selection

    Type the name of the OU, or click Browse.

    In the Browse for Container dialog box, find the container in the target domain that you want to move the universal groups into, and then click OK.

    Group Options

    The Migrate Group SIDs to target domain and Fix Group Membership check boxes are checked and appear dimmed.

    Click Do not rename accounts.

    Ensure that no other options are selected.

    Naming Conflicts

    Click Ignore conflicting accounts and don’t migrate.

To migrate universal groups by using a script

  • Use Listing 12.3 to prepare a script that incorporates ADMT commands and options for migrating groups within a forest.

    Listing 12.3   Migrating Groups Within a Forest

    <Job id=" MigratingGroupsWithinForest" >
<Script language=" VBScript"  src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
   Option Explicit

   Dim objMigration
   Dim objGroupMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject(" ADMT.Migration" )
   Set objGroupMigration = objMigration.CreateGroupMigration

   '
   'Specify general migration options.
   '

   objMigration.IntraForest = True
   objMigration.SourceDomain = " source domain" 
   objMigration.SourceOu = " source container" 
   objMigration.TargetDomain = " target domain" 
   objMigration.TargetOu = " target container" 

   '
   'Migrate specified group objects.
   '

   objGroupMigration.Migrate admtData, Array(" group name1" ," group name2" )

   Set objGroupMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>

    For a sample script to assist you in migrating groups, see "Migrating Groups Within a Forest" (DSSRERA_2.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Groups Within a Forest" on the Web at https://www.microsoft.com/reskit).