Create Migration Account Groups

Updated: September 29, 2013

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

To migrate accounts and resources within a forest, you can create an account migration group and a resource migration group with the appropriate credentials. You must then add the accounts that will be performing the Active Directory Migration Tool (ADMT) migrations to the account migration and resource migration groups, as appropriate. Because ADMT requires only a limited set of permissions, creating separate migration groups makes it possible for you to simplify administration by creating the groups, assigning the appropriate permissions, and then adding the necessary administrators to those groups. If the migration tasks for your organization are distributed across more than one administrative group, create separate migration groups for each administrative group that performs the migration.

Assign the required permissions to modify objects, such as users, global groups, and local profiles, according to the following table. The user who is running ADMT must be an administrator on the computer where ADMT is installed.

In the target domain, use a group with delegated control of the computer organizational unit (OU) and the user OU. You might want to use a separate group for the migration of workstations if this migration process is delegated to administrators who are in the same location as the workstations.

Use the information in the following table to determine the credentials that are required for your migration.

 

Migration object Credentials necessary in the source domain Credentials necessary in the target domain

User/managed service account/group

noteNote
Managed service accounts do not preserve security identifier (SID) history in an intraforest migration.

Local administrator, domain administrator, and delegated Read all user information for the source OU

Delegated Create, delete, and manage user accounts, Create, delete, and manage groups, and Modify the membership of a group for the user OU or the group OU and local administrator on the computer where ADMT is installed

Computer

Domain administrator or delegated rights to delete the objects in the source OU and member of Administrators group on each computer

Delegated permission on the computer OU and local administrator on the computer on which ADMT is installed

noteNote
If the computer has a managed service account installed, use an account that has permission to update the security descriptor of the managed service account in the target domain.

Profile

Local administrator or domain administrator; for roaming profiles, Administrator of the computer that hosts the roaming profile shared folder

Delegated Create, delete, and manage user accounts for the computer OU and local administrator on the computer where ADMT is installed

noteNote
You might need to complete additional preparation steps if you migrate roaming profiles for computers that run Windows Vista or Windows 7. For more information, see Preparing for migration of roaming profiles with computers that run Windows Vista and Windows 7.

ADMT also includes database administration roles that you can use to assign a subset of database permissions to users who perform specific migration tasks. The database administration roles and the migration tasks that they can perform are listed in the following table.

 

Role Migration task

Account migrators

Account migration tasks, such as user and group migration

Resource migrators

Resource migration tasks, such as computer migration and security translation; account migrators also hold the role of resource migrators

Data readers

Queries against that database; account migrators and resource migrators also hold the role of data readers

Users who are assigned the role of SQL Server sysadmin hold all ADMT database administration roles. They have permissions to:

  • Display database roles and users who hold those roles.

  • Add groups or users to roles.

  • Remove groups or users from roles.

By default, the local Administrators group is assigned the role of sysadmin. This group can perform all ADMT database functions.

Community Additions

ADD
Show: