Clearly, migrating user accounts is one of the core elements of domain migration, and the process takes several steps. First, the new user object must be created within the destination domain. Only then can properties of the user objects be transferred (because you cannot reference a property on an object prior to the object existing in the directory).
Before migrating user accounts, you should consider whether you must migrate passwords for the accounts. If you do, you should perform the password migration steps first, and then perform the user account migration.
An important contingency in a migration of user accounts is whether to migrate the SIDs for the user accounts to the destination domain (which creates or updates the SID history). Without the migration of the SIDs, user accounts are unable to access the network resources to which they previously had access. You must run the Security Translation Wizard to reinstate user access to network resources.
To migrate user accounts, run the User Account Migration Wizard on the Action menu in ADMT. This wizard uses many of the same dialog boxes as the Group Account Migration Wizard; thus, only dialog boxes unique to the User Account Migration Wizard are shown in this section. Refer to the section entitled "Migrating Group Accounts" earlier in this chapter to see the remaining dialog boxes.
Follow these steps to migrate user accounts:
Choose to test only or migrate When the User Account Migration Wizard starts, you must specify whether you want to test the effects of migrating users or actually migrate them by selecting either the Test The Migration Settings And Migrate Later option or the Migrate Now option. Prior to running the actual migration, you should run a migration test on the user accounts.
Select the domains The Domain Selection dialog box next prompts you to select or enter the names (DNS or NetBIOS) of the source and destination domains (if the destination domain is the forest root, you must provide the DNS name).
Select the users The Select Users dialog box prompts you to select the users that you want to migrate. To add users, click Add, click Advanced, click Find Now, and then select the users to migrate (you can hold down the Ctrl key while clicking to select multiples or hold down the Shift key while clicking to select a range).
Choose the OU You are next prompted to select the OU to which the users should be migrated.
Select password options You next set the password options, choosing whether to require complex passwords, reset the password as the user name, or migrate passwords (as shown in the following screen). You can prevent users from having to provide a new password after migration by having the wizard migrate the passwords. If you select the Migrate Passwords option, you must specify the name of the source domain controller in the Password Migration Source DC box. Once the source is selected, the wizard expects to find a domain controller configured as a Password Export Server.
The setup for password migration has several requirements (refer to the section entitled "Migrating Passwords" later in this chapter for details on how to configure this):
The Everyone account must be a member of the Pre–Windows 2000 Compatible Access group.
The source domain controller must have the 128-bit high encryption pack installed and also must have the encryption key from the destination domain controller.
Set the account transition options These options tell the wizard how to move the user accounts between domains. You can enable or disable target accounts or allow target accounts to inherit account status in the source domain. You can also disable the source user accounts postmigration or wait a set number of days before disabling the accounts. The wizard will also migrate SIDs for source domain user accounts if you select the Migrate User SIDs To Target Domain option.
Access authorization When the source domain is a Windows NT 4 domain, credentials are required to authorize the migration (a user account that belongs to the Domain Admins group is required).
Select user options The User Options dialog box (as shown in the following screen) enables you to control how user accounts are handled as follows:
The Translate Roaming Profiles option (selected by default) migrates the roaming profiles to the destination domain.
The Update User Rights option (selected by default) migrates user rights from the source domain to the destination domain.
The Migrate Associated User Groups option lets you migrate groups from the source domain of which the user accounts are members. When you opt to let the wizard migrate the groups to which the users belong, you can select the Update Previously Migrated Objects option to enable repeated migration of the same set of users and groups during a migration that is performed progressively over time.
The Fix Users' Group Membership option causes the wizard to add users to all groups in the destination domain that the users are members of in the source domain.
You can also specify how user account names are handled (this action defaults to Do Not Rename Accounts), or you can specify a prefix or suffix to be used.
Exclude object properties When migrating a Windows 2000 or Windows Server 2003 domain, you can include or exclude the properties of the user objects during the migration. By default, all properties for user objects (user and InetOrgPerson in Windows Server 2003) are included.
Manage naming conflicts Configuring how the naming conflicts are managed lets you specify how user accounts are migrated. You can select the Ignore Conflicting Accounts And Don't Migrate option, or you can opt to replace or rename migrated user accounts. If you select the Replace Conflicting Accounts option, you have three choices:
You can select the Remove Existing User Rights option, which instructs the wizard to remove any rights assigned to the user account in the destination domain that the user didn't have in the source domain.
You can select the Remove Existing Members Of Groups Being Replaced option to make the destination group membership match the source group membership.
You can select the Move Replaced Accounts To The Specified Target Organizational Unit option, which instructs the wizard to overwrite the user account information in the destination domain with the information from the source domain.
By selecting the Rename Conflicting Accounts By Adding The Following option, you can rename the user accounts by adding a prefix or suffix to the source domain user account name.
Next, the user migration information is summarized. Verify that the migration is configured the way you intend before you click Finish to begin the migration. If you are running in Test mode, verify that the line Changes Will Not Be Written is present. This line indicates that this migration is running in Test mode and will not actually perform the requested changes.
When the migration is complete, summary totals are shown and you can review the migration log list of every user and group account migrated, including a description of the action taken or related warning/error message. This log is located in the Program FilesActive Directory Migration ToolLogs folder and is named Migration.log (previous Migration.log files are renamed as Migration 0001.log, Migration 0002.log, etc.). Especially if you have migration errors, you should review the migration log file and the audit information by using Event Viewer to assess the overall success of the user account migration.