You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
4.7 KiB
97 lines
4.7 KiB
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
|
|
<HTML>
|
|
<HEAD>
|
|
|
|
<TITLE>User Account and Group Migration</TITLE>
|
|
|
|
<link rel=stylesheet type=text/css href=MCS-Help.css>
|
|
|
|
<META NAME="MS-HAID" CONTENT="a_ConceptAccountMigration">
|
|
<SCRIPT LANGUAGE="JScript" SRC="MCSshared.js"></SCRIPT>
|
|
|
|
</HEAD>
|
|
|
|
<BODY>
|
|
|
|
<H1>User Account and Group Migration</H1>
|
|
|
|
<P>
|
|
The Active Directory Migration Tool allows you to copy user accounts and groups from one domain to another. This product provides many options to help you migrate the user accounts and groups exactly as you need. For example, you can specify how the Active Directory Migration Tool handles the passwords for the copied user accounts. You can also test the process first to examine the user accounts and groups without copying them to the target domain.
|
|
</P>
|
|
|
|
<TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0>
|
|
<TR>
|
|
<TD VALIGN=TOP>
|
|
<IMG SRC="WARNING.GIF" WIDTH=10 HEIGHT=10 ALT="" BORDER="0"></TD>
|
|
|
|
<TD VALIGN=TOP WIDTH=5></TD>
|
|
|
|
<TD VALIGN=TOP>
|
|
<B>Warning:</B><BR>
|
|
When you migrate user accounts and groups, the tool creates all the accounts before copying the properties of those accounts. This process ensures Windows 2000 accounts that reference the distinguished names of other Windows 2000 objects in their properties, such as the Manager property, are correctly migrated. For example, if UserA is the manager of UserB, and you migrate both accounts at the same time, UserA and UserB need to exist before the tool can correctly set the Manager property of UserB. If you interrupt the migration process before it is finished, accounts may exist without the properties correctly set. You should allow the migration process to finish completely.
|
|
</TD>
|
|
</TR>
|
|
</TABLE>
|
|
|
|
|
|
<P>
|
|
When the tool migrates user accounts, the tool sets the <B>User must change password at next logon</B> property for each migrated user account. If the <B>Password never expires</B> property is set for a user account, the tool clears the <B>Password never expires</B> property for that user account.
|
|
</P>
|
|
|
|
<TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0>
|
|
<TR>
|
|
<TD VALIGN=TOP><IMG SRC="NOTE.GIF" WIDTH=10 HEIGHT=10 ALT="" BORDER="0"></TD>
|
|
|
|
<TD VALIGN=TOP WIDTH=5></TD>
|
|
|
|
<TD VALIGN=TOP>
|
|
<B>Notes:</B>
|
|
<UL>
|
|
<LI>
|
|
If the <B>User cannot change password</B> property is set for a user account, that migrated user account will be locked because the user will not be able to reset the password.
|
|
<LI>
|
|
Password complexity functions may limit the passwords the tool can assign to a user account. The tool can generate complex passwords that meet the minimum password length requirement and contain at least 3 lowercase letters, 3 uppercase letters, 3 numerical digits, and 3 symbols. If the generated password does not comply with the password complexity rules in the target domain, the tool disables the migrated user account.
|
|
</UL>
|
|
</TD>
|
|
</TR>
|
|
</TABLE>
|
|
|
|
|
|
|
|
<P>
|
|
Local groups can contain members defined in other domains. Therefore, processing local groups can be a bit more complicated than processing global groups and user accounts. When adding a local group member in the target domain, the Active Directory Migration Tool processes the group members in the following manner:
|
|
</P>
|
|
|
|
<OL>
|
|
<LI>
|
|
If the source member is also being migrated, the Active Directory Migration Tool adds the copied account to the local group in the target domain.
|
|
<LI>
|
|
If the source member is known in the target domain, it is added by its Security Identifier (SID). To be known by the target domain, the user account or group must be defined in a domain trusted by both the source and target domains.
|
|
<LI>
|
|
If the source member name exists in the target domain, this name is resolved to the target domain SID.
|
|
<LI>
|
|
If the source member name does not exist in the target domain, domains trusted by the target domain are searched for the name and the name is then resolved to its SID. If this search fails, the Active Directory Migration Tool does not add the member.
|
|
</OL>
|
|
|
|
<TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0>
|
|
<TR>
|
|
<TD VALIGN=TOP><IMG SRC="NOTE.GIF" WIDTH=10 HEIGHT=10 ALT="" BORDER="0"></TD>
|
|
|
|
<TD VALIGN=TOP WIDTH=5></TD>
|
|
|
|
<TD VALIGN=TOP>
|
|
<B>Note:</B><BR>
|
|
If you have mapped a group to a different group in the target domain, and then you migrate that group from the source domain to the target domain, the mapping information is replaced. The group is then mapped to the migrated group in the target domain.
|
|
</TD>
|
|
</TR>
|
|
</TABLE>
|
|
|
|
|
|
<P>
|
|
<A ID="relTopics" HREF="CHM=DomainMig.chm META=a_TasksMigrateAccounts; a_TasksMigrateGroups">Related Topics</A>
|
|
</P>
|
|
|
|
|
|
</BODY>
|
|
</HTML>
|