Migrating All User Accounts

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Begin the user account migration process by migrating all users. This helps you translate local profiles and ensure that users continue to have the appropriate resource access after the migration.

Note

Built-in accounts (such as Administrators, Users, and Power Users) cannot be Active Directory Migration Tool (ADMT) migration objects. Because built-in account security identifiers (SIDs) are identical in every domain, migrating these accounts to a target domain results in duplicate SIDs in a single domain. Every SID in a domain must be unique. Well-known accounts (such as Domain Admins and Domain Users) also cannot be ADMT migration objects.

The ADMT user account migration process includes the following steps:

  1. ADMT reads the attributes of the source user objects.

  2. ADMT creates a new user object in the target domain and a new primary SID for the new user account.

  3. ADMT adds the original SID of the user account to the SID history attribute of the new user account.

  4. ADMT migrates the password for the user account.

  5. If ADMT identifies global groups in the target domain that the migrated users belonged to in the source domain, the tool adds the users to the appropriate global groups in the target domain.

During the migration, audit events are logged in both the source and the target domains. ADMT excludes some system attributes by design. For more information see Managing Users, Groups, and User Profiles.

You can migrate user accounts by using the ADMT snap-in, by using the ADMT command-line option, or by using a script. If you are migrating user accounts that have authentication mechanism assurance enabled, use an include file. In the include file, specify the original user principal names (UPNs) from the source domain as the target UPNs so that you can keep the authentication mechanism assurance working. For more information about using an include file, see Use an Include File.

Important

When you start a user migration with SID history from the command line or from a script, you must perform the migration on a domain controller in the target domain. It is recommended that you use a full version of SQL Server when you install ADMT on a domain controller.

To migrate the current batch of users by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. Use the User Account Migration Wizard by performing the steps in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    User Selection

    Click Select users from domain, and then click Next. On the User Selection page, click Add to select the users in the source domain that you want to migrate in the current batch, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Organizational Unit Selection

    Ensure that ADMT lists the correct target OU. If it is not correct, type the correct OU, or click Browse.

    In the Browse for Container dialog box, locate the target domain and OU, and then click OK.

    Password Options

    Click Do not update passwords for existing users.

    Click Generatecomplex passwords.

    Account Transition Options

    In Target Account State:, click Disable target accounts.

    In Source Account Disabling Options:, click Days until source accounts expire:, and then type the numbers of days you want to keep the source account. A value of seven is commonly used.

    Select the Migrate user SIDs to target domains check box.

    User Account

    Type the user name, password, and domain of a user account that has administrative credentials in the source domain.

    User Options

    Select the Translate roaming profiles check box.

    Clear the Update user rights check box.

    Clear the Migrate associated user groups check box.

    Select the Fix users’ group memberships check box.

    Object Property Exclusion

    Clear the Exclude specific object properties from migration check box.

    Conflict Management

    Click Do not migrate source object if a conflict is detected in the target domain.

    Ensure that the Before merging remove user rights for existing target accounts and Move merged objects to specified target Organizational Unit check boxes are not selected.

  3. When the wizard has finished running, click View Log, and then review the migration log for any errors.

  4. Start Active Directory Users and Computers, and then verify that the user accounts exist in the appropriate OU in the target domain.

To migrate user accounts by using the ADMT command-line option

  1. On a domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

Important

When you start a user migration with SID history from the command line, you must perform the migration on a domain controller in the target domain.

  1. At the command line, type the ADMT User command with the appropriate parameters, and then press ENTER.

    ADMT USER /N "<user_name1>" "<user_name2>" /SD:" <source_domain>" /TD:" <target_domain>" /TO:"<target_OU>" /MSS:YES /TRP:YES /UUR:NO

    As an alternative, you can include parameters in an option file that is specified at the command line as follows:

    ADMT USER /N "<user_name1>" "<user_name2>" /O "<option_file>.txt"

    The following table lists the common parameters that are used for migrating user accounts, along with the command-line parameter and option file equivalents.

    Parameters Command-line syntax Option file syntax

    <Source domain>

    /SD:"source_domain"

    SourceDomain="source_domain"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

    <Target OU> location

    /TO:"target_OU"

    TargetOU="target_OU"

    Migrate SIDs

    /MSS:YES

    MigrateSIDs=YES

    Disable option

    /DOT:DISABLETARGET

    DISABLEOPTION=DISABLETARGET

    Source expiration

    /SEP:7

    SOURCEEXPIRATION=7

    Conflict management

    /CO:IGNORE (default)

    ConflictOptions=IGNORE

    Translate roaming profile

    /TRP:YES (default)

    TranslateRoamingProfile=YES

    Update user rights

    /UUR:NO

    UpdateUserRights=NO

    Password options

    /PO:COMPLEX

    PasswordOption=COMPLEX

  2. Review the results that are displayed on the screen for any errors.

  3. Open Active Directory Users and Computers and locate the target OU. Verify that the users exist in the target OU.

To migrate user accounts by using a script

  • Prepare a script that incorporates ADMT commands and options for migrating users by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

    In your script, specify the source and target container names in the relative canonical format. For example, if the container is a child OU named Sales and its parent OU is named West, specify West/Sales as the container name. For more information, see TemplateScripts.vbs in the ADMT installation folder.

    <Job id=" MigratingAllUserAccountsBetweenForests" >
<Script language="VBScript"  src="AdmtConstants.vbs" />
<Script language="VBScript" >
   Option Explicit

   Dim objMigration
   Dim objUserMigration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject("ADMT.Migration" )
   Set objUserMigration = objMigration.CreateUserMigration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = "source domain" 
   objMigration.SourceOu = "source container" 
   objMigration.TargetDomain = "target domain" 
   objMigration.TargetOu = "target container" 
   objMigration.PasswordOption = admtComplexPassword
   objMigration.ConflictOptions = admtIgnoreConflicting

   '
   'Specify user migration specific options.
   '

   objUserMigration.MigrateSIDs = True
   objUserMigration.TranslateRoamingProfile = True
   objUserMigration.UpdateUserRights = False
   objUserMigration.FixGroupMembership = True
   objUserMigration.MigrateServiceAccounts = False

   '
   'Migrate specified user objects.
   '

   objUserMigration.Migrate admtData, Array("user name1" , "user name2" )

   Set objUserMigration = Nothing
   Set objMigration = Nothing
</Script>
</Job>