Plan for Group Migration

Article
09/29/2014

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

Unless you can identify closed sets when you are restructuring Active Directory domains within a forest, you should migrate groups and users separately. This ensures that users continue to have access to required resources.

The following table lists each type of group and where the group is physically located.

Group type	Location
Global group	Active Directory
Universal group	Active Directory
Domain local group	Active Directory
Computer local group	Database of the local computer

Each type of group is migrated differently based on the group’s physical location and its rules for group membership. You can migrate universal groups and global groups by using the Active Directory Migration Tool (ADMT). You can transform them into universal groups for the duration of the migration, if you are not migrating closed sets. You can update computer local group membership by using the Security Translation Wizard.

Each group type has different rules for membership, and each group type serves a different purpose. This affects the order that the groups are migrated from the source to the target domains. The following table summarizes the groups and their membership rules.

Group type	Rules and membership
Universal groups	Universal groups can contain members from any domain in the forest, and they can replicate group membership to the global catalog. Therefore, you can use them for administrative groups. When you restructure domains, migrate universal groups first.
Global groups	Global groups can include only members from the domain to which they belong. ADMT automatically changes the global group in the source domain to a universal group when it is migrated to the target domain. ADMT automatically changes universal groups back to global groups after all members of the group are migrated to the target domain.
Domain local groups	Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the group type to universal group. This minimizes the disruption in user access to resources. ADMT does not automatically convert domain local groups to universal groups as it does for global groups.

Universal groups

Universal groups can contain members from any domain in the forest, and they can replicate group membership to the global catalog. Therefore, you can use them for administrative groups. When you restructure domains, migrate universal groups first.

Global groups

Global groups can include only members from the domain to which they belong. ADMT automatically changes the global group in the source domain to a universal group when it is migrated to the target domain. ADMT automatically changes universal groups back to global groups after all members of the group are migrated to the target domain.

Domain local groups

Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the group type to universal group. This minimizes the disruption in user access to resources.

ADMT does not automatically convert domain local groups to universal groups as it does for global groups.

Plan for Group Migration

Additional resources