Identifying Service Accounts for Your Migration

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

This topic explains how to identify service accounts that the Active Directory Migration Tool (ADMT) will migrate to the target domain. A service account is a user account that provides a security context for applications and that is granted permission to log on as a service.

ADMT does not migrate services that run in the context of the Local System account because they are migrated when the computer is migrated. However, services that run in the context of a user account must be updated on the computer after you have completed the account migration process. ADMT also cannot migrate the Local Service or Network Service accounts because they are well-known accounts that always exist in domains.

Identifying Service Accounts

The process of identifying, migrating, and updating services that run in the context of user accounts involves three steps. First, the administrator starts ADMT from the target Active Directory domain and runs the Service Account Migration Wizard. Second, the Service Account Migration Wizard sends an agent to a specified computer and identifies (but does not migrate) all of the services on the computer that are running in the context of a user account. Third, which can occur later in the migration process, the accounts are migrated when other user accounts are migrated with the User Account Migration Wizard.

The Service Account Migration Wizard scans an administrator-defined list of servers for services that are configured to use a domain account to authenticate. The accounts are then flagged as service accounts in the ADMT database. The password is never migrated when a service account is migrated. Instead, ADMT uses a clear-text representation of the password to configure the services after the service account migration. An encrypted version of the password is then stored in the password.txt file in the ADMT installation folder.

An administrator of a workstation or server can install any service and configure the service to use any domain account. If a malicious user who has administrator privileges configures a service to authenticate without a correct password (such as a password that does not meet complexity requirements), the service will not start. After the service account is migrated, ADMT configures the service on the workstation or the server to use the new password, and the service will now start using the user account in the target domain.

Therefore, you should include in the Service Account Migration Wizard only those servers that trusted administrators manage. Do not use the wizard to detect service accounts on computers that trusted administrators do not manage, such as workstations.

Dispatch agents to all servers that trusted administrators manage in the domain to ensure that you do not overlook any service accounts. If you miss a service account that shares an account with a service that has already been migrated, ADMT cannot synchronize the service accounts. You must manually change the password for the service account and then reset the service account password on each server that is running that service.

When the accounts that the Service Account Migration Wizard identifies in the ADMT database as running in the context of a user account are migrated to the target domain, ADMT grants each account the right to log on as a service. If the service account is assigned rights by means of its membership in a group, the Security Translation Wizard updates the account to assign those rights. For more information about running the Security Translation Wizard, see Transitioning Service Accounts in Your Migration later in this guide.

You can identify service accounts by using the ADMT snap-in, the ADMT command-line option, or a script.

To identify service accounts by using the ADMT snap-in

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. In the ADMT snap-in, click Action, and then click Service Account Migration Wizard.

  3. Complete the Service Account Migration Wizard by using the information in the following table.

    Wizard page Action

    Domain Selection

    Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.

    Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.

    Update Information

    Click Yes, update the information.

    Computer Selection Option

    Click Select computers from domain, and then click Next. On the Service Account Selection page, click Add to select the accounts in the source domain that you want to migrate, click OK, and then click Next.

    Or

    Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.

    Agent Dialog

    In Agent Actions, select Run pre-check and agent operation, and then click Start. A message will appear in the Agent Summary when the agent operations are complete. After the agent operations finish, click Close.

    Service Account Information

    Select any user accounts that do not have to be marked as service accounts in the ADMT database, and then click Skip/Include to mark the accounts as Skip.

    Completing the Service Account Migration Wizard

    Review your selections, and then click Finish.

The wizard connects to the selected computers and then sends an agent to check every service on the remote computers. The Service Account Information page lists the services that are running in the context of a user account and the name of that user account. ADMT notes in its database that these user accounts have to be migrated as service accounts. If you do not want a user account to be migrated as a service account, select the account, and then click Skip/Include to change the status from Include to Skip.

You use Update SCM to update the Service Control Manager with the new information. Unless you have a failure in reaching a computer to update the service, the Update SCM button is not available. If you have a problem updating a service account after the account was identified and migrated, ensure that the computer that you are trying to reach is available, and then restart the Service Account Migration Wizard.

In the wizard, click Update SCM to try to update the service. If you ran the Service Account Migration Wizard previously and the Update SCM button is not available, examine the ADMT log files to determine the cause of the problem. After you correct the problem and the agent can connect successfully, the Update SCM button becomes available.

To identify service accounts by using the ADMT command-line option

  1. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.

  2. At the command line, type the following command, and then press ENTER:

    ADMT SERVICE /N "<computer_name1>" "<computer_name2>" /SD:" <source_domain>" /TD:" <target_domain>"

    Where <computer_name1> and <computer_name2> are the names of computers in the source domain that run service accounts.

    As an alternative, you can include parameters in an option file that is specified at the command line as follows:

    ADMT SERVICE /N "<computer_name1>" "<computer_name2>" /O:" <option_file>.txt"

    The following table lists the common parameters that are used for the identification of service accounts, along with the command-line parameter and option file equivalents.

    Values Command-line syntax Option file syntax

    <Source domain>

    /SD:"source_domain"

    SourceDomain="source_domain"

    <Target domain>

    /TD:"target_domain"

    TargetDomain="target_domain"

  3. Review the results that are displayed on the screen for any errors.

To identify service accounts by using a script

  • Create a script that incorporates ADMT commands and options for identifying service accounts by using the following sample script. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.

    <Job id="IdentifyingServiceAccounts" >
<Script language="VBScript"  src="AdmtConstants.vbs" />
<Script language="VBScript" >
   Option Explicit

   Dim objMigration
   Dim objServiceAccountEnumeration

   '
   'Create instance of ADMT migration objects.
   '

   Set objMigration = CreateObject("ADMT.Migration" )
   Set objServiceAccountEnumeration = _
  objMigration.CreateServiceAccountEnumeration

   '
   'Specify general migration options.
   '

   objMigration.SourceDomain = "source domain" 

   '
   'Enumerate service accounts on specified computers.
   '

   objServiceAccountEnumeration.Enumerate admtData, _
  Array("computer name1" ,"computer name2" )

   Set objServiceAccountEnumeration = Nothing
   Set objMigration = Nothing
</Script>
</Job>