Troubleshooting Managed Service Account Migration Issues

Updated: September 29, 2013

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic describes known issues related to migrating standalone managed service accounts with the Active Directory Migration Tool (ADMT). Only ADMT v3.2 can migrate standalone managed service accounts. Group managed service accounts cannot be migrated.

You may need to revoke changes to the security descriptor of a managed service account if the Computer Migration Wizard crashes

If you migrate a computer that has managed service accounts installed and you have migrated the managed service accounts, ADMT installs the managed service accounts on the computer after it is migrated to the target domain. Before ADMT installs a managed service account, it changes the security descriptor on the account to grant permissions to the target computer to reset the password and modify the userAccountControl attribute. The change to the security descriptor is necessary for installing the managed service accounts.

Security Note
While the computer has the elevated permissions, a network service on the computer may now have the ability to disable a managed service account. Therefore, it can launch a denial-of-service attack on the services that are running under the security context of that managed service account. The attacker may also use the managed service account credentials to access other data.

To mitigate this risk, ADMT logs changes to the security descriptors of the migrated managed service accounts for reference. If the Computer Migration Wizard crashes, check the log file for the migrated computer. For each managed service account, verify that the permission was revoked. If it was not, manually revoke these changes in Active Directory Domain Services (AD DS) to prevent the target computers from being granted elevated permissions to reset passwords and enable and disable the managed service accounts.

The changes to the security descriptors are logged in the computer migration log file that is named Migration<TaskID>.log. The log file is located in the %windir%\ADMT\Logs folder on the computer that runs ADMT. The log messages and their descriptions are listed in the following table.

To manually revoke the changes to the security descriptor, complete the following procedure.

To revoke changes to the security descriptor of a migrated managed services account

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

2. Click View, and then click Advanced Features.

3. Navigate to the container that has the managed service account, right-click the account, and then click Properties.

   By default, managed service accounts are created in the Managed Service Accounts container.

4. Click the Security tab, and then click the access control entry for the computer object.

5. For Reset password, clear the Allow check box.

6. Click Advanced.

7. Click the access control entry for the computer object, click Edit, and then for Write userAccountCntrol, clear the Allow check box.

8. Click OK twice, click Apply, and then click OK again to close the Properties dialog box.