Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The ClonePrincipal tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
This tool assists administrators in migrating users from Windows NT to Windows 2000 or Windows Server 2003 by creating clones of the Windows NT 4.0 users and groups in the new Windows 2000 or Windows Server 2003 environment.
Customers deploying Windows 2000 or Windows Server 2003 might want to migrate users incrementally to a new Windows 2000 or Windows Server 2003 environment without impacting their existing Windows NT 4.0 production environment. This allows users to be introduced gradually to Windows 2000 or Windows Server 2003, and allows them an emergency fallback to their old account during the trial period. It enables administrators to consolidate multiple groups from different source domains into a single destination group and old resource domains into a single organizational unit. It eliminates the need to update group memberships and access control lists (ACLs), preserving uninterrupted network access for users in the new domain structure.
ClonePrincipal must be run on a destination domain controller running Windows 2000 or Windows Server 2003.
ClonePrincipal performs tasks related to those performed by another Windows 2000 and Windows Server 2003 Support Tool, Movetree.exe, with the following differences:
ClonePrincipal is exclusively for interforest use. It copies security Principals between forests only. MoveTree is exclusively for intraforest use. It moves security Principals within the same forest only. This means that for ClonePrincipal, the source domain can be Windows NT 4.0 or Windows 2000 (mixed or native mode), while MoveTree relies on a Windows 2000 source domain.
ClonePrincipal duplicates objects from the source domain in the target domain rather than moving them to it, so the source domain is unaffected. MoveTree moves objects, which means that the operations it performs destroy objects in the source domain. Both, however, add the old security identifier (SID) to the SIDHistory.
ClonePrincipal does not maintain users' existing passwords, and MoveTree does.
To move users or groups within a Windows 2000 or Windows Server 2003 domain (for example, from one organizational unit to another), use Active Directory Users and Computers, a Microsoft Management Console snap-in that is part of Windows 2000 and Windows Server 2003.
Clonepr.dll. Component Object Model (COM) object with methods to support ClonePrincipal operations.
Clonegg.vbs. Sample script that clones all the Global Groups in a domain.
Cloneggu.vbs. Sample script that clones all the Global Groups and Users in a domain.
Clonelg.vbs. Sample script that clones all the Local Groups in a domain.
Clonepr.vbs. Sample script that clones a single security Principal.
Sidhist.vbs. Sample script that adds the SID of a source account to the SIDHistory of a destination account.
For More Information
For more information about ClonePrincipal, read Clonepr.doc in the Program Files\Support Tools directory.
You need Microsoft Word or a compatible viewer to view Clonepr.doc. You can download a free version of Microsoft Word Viewer from the Microsoft Office Download Center.
For more information about Active Directory, visit the Active Directory page on the Microsoft Windows 2000 Server Web site.