Create Migration Account Groups

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

To migrate accounts and resources within a forest, you can create an account migration group and a resource migration group with the appropriate credentials. You must then add the accounts that will be performing the Active Directory Migration Tool (ADMT) migrations to the account migration and resource migration groups, as appropriate. Because ADMT requires only a limited set of permissions, creating separate migration groups makes it possible for you to simplify administration by creating the groups, assigning the appropriate permissions, and then adding the necessary administrators to those groups. If the migration tasks for your organization are distributed across more than one administrative group, create separate migration groups for each administrative group that performs the migration.

Assign the required permissions to modify objects, such as users, global groups, and local profiles, according to the following table. The user who is running ADMT must be an administrator on the computer where ADMT is installed.

In the target domain, use a group with delegated control of the computer organizational unit (OU) and the user OU. You might want to use a separate group for the migration of workstations if this migration process is delegated to administrators who are in the same location as the workstations.

Use the information in the following table to determine the credentials that are required for your migration.

Migration object	Credentials necessary in the source domain	Credentials necessary in the target domain
User/managed service account/group Note Managed service accounts do not preserve security identifier (SID) history in an intraforest migration.	Local administrator, domain administrator, and delegated Read all user information for the source OU	Delegated Create, delete, and manage user accounts, Create, delete, and manage groups, and Modify the membership of a group for the user OU or the group OU and local administrator on the computer where ADMT is installed
Computer	Domain administrator or delegated rights to delete the objects in the source OU and member of Administrators group on each computer	Delegated permission on the computer OU and local administrator on the computer on which ADMT is installed Note If the computer has a managed service account installed, use an account that has permission to update the security descriptor of the managed service account in the target domain.
Profile	Local administrator or domain administrator; for roaming profiles, Administrator of the computer that hosts the roaming profile shared folder	Delegated Create, delete, and manage user accounts for the computer OU and local administrator on the computer where ADMT is installed Note You might need to complete additional preparation steps if you migrate roaming profiles for computers that run Windows Vista or Windows 7. For more information, see Preparing for migration of roaming profiles with computers that run Windows Vista and Windows 7.

ADMT also includes database administration roles that you can use to assign a subset of database permissions to users who perform specific migration tasks. The database administration roles and the migration tasks that they can perform are listed in the following table.

Users who are assigned the role of SQL Server sysadmin hold all ADMT database administration roles. They have permissions to:

• Display database roles and users who hold those roles.

• Add groups or users to roles.

• Remove groups or users from roles.

By default, the local Administrators group is assigned the role of sysadmin. This group can perform all ADMT database functions.