objUserMigration.MigrateSIDs = True
objUserMigration.TranslateRoamingProfile = True objUserMigration.UpdateUserRights = False objUserMigration.FixGroupMembership = True objUserMigration.MigrateServiceAccounts = False
'
'Migrate specified user objects.
'
objUserMigration.Migrate admtData, Array("user name1" , "user name2" )
Set objUserMigration = Nothing Set objMigration = Nothing
</Script>
</Job>
Remigrating User Accounts and Workstations in Batches
Remigrating user accounts and workstations in batches helps you track the migration process. For each batch of users, first translate local user profiles, and then migrate workstations. Verify that the profile and workstation migration succeeded, and then migrate the user accounts. Remigrate global groups after each batch. For more information, see Remigrating All Global Groups After All Batches Are Migrated, later in this guide.
Translating Local User Profiles
ADMT only translates profiles for computers running Windows NT 4.0, Windows 2000 Server, Windows XP, or Windows Server 2003.
User profiles are stored locally on the workstation. When a user logs on to another workstation, he or she must create a new, unique local user profile. Translate the local user profiles for the first batch of users immediately after migrating all user accounts.
Local profiles are translated in replace mode because if you perform the profile translation in add mode, certain aspects of software installation that use Group Policy software deployment might not work. Any application that is packaged with Windows Installer version 2.0 (which is included on workstations running Windows 2000 Server
SP3 or later and Windows XP SP1 or later, as well as in many common software packages) might not function after the profile is translated. For example, the application executable files might not be removed after the last user removed the application. When the ADMT Security Translation Wizard is translating local profiles in replace mode, it reverts to add mode if a profile is locked. This might result in a successful profile translation; however, application installations might not function after the profile is translated.
Note
The night before you notify the users to log on by using their new accounts in the target domain, translate the local user profiles. Translating profiles the night before ensures that the new user profile reflects the most current user settings.
You can translate local user profiles by using the ADMT console, the ADMT command-line option, or a script.
To translate local user profiles by using the ADMT console
1. For each workstation in the source domain that is running Windows NT 4.0, Windows 2000 Server, or Windows XP, add the ADMT resource migration account to the local Administrators group.
2. On the computer in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
3. Use the Security Translation Wizard by following the steps provided in the following table.
Wizard Page Action
Security Translation Options Click Previously migrated objects.
Domain Selection Under Source, in the Domain drop-down list, type or select the NetBIOS or Domain Name System (DNS) name of the source domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller.
Under Target, in the Domain drop-down list, type or select the NetBIOS or DNS name of the target domain. In the Domain controller drop-down list, type or select the name of the domain controller, or select Any domain controller, and then click Next.
Computer Selection Option Click Select computers from domain, and then click Next. On the Computer Selection page, click Add to select the computers in the source domain for which you want to translate security, click OK, and then click Next.
- or -
Click Read objects from an include file, and then click Next. Type the location of the include file, and then click Next.
Translate Objects Click User Profiles.
Security Translation Options Click Replace.
ADMT Agent Dialog Select Run pre-check and agent operation, and then click Start.
4. Review the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will need to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named
MigrationTask#_ComputerName.log and is stored in the Windows\ADMT\Logs\Agents folder.
To translate local user profiles by using the ADMT command-line option 1. On the computer in the target domain on which ADMT is installed, log on by
using the ADMT account migration account.
2. At the command line, type the ADMT Security command with the appropriate parameters. For example:
ADMT SECURITY /N "computer_name1" "computer_name2"
/SD:"source_domain" /TD:"target_domain" /TO:"target_OU" /TOT:Replace /TUP:YES
Alternatively, you can include parameters in an option file that is specified at the command line as follows:
ADMT SECURITY /N "computer_name1" "computer_name2" /O
"option_file.txt"
The following table lists the common parameters used for migrating user accounts, along with the command-line parameter and option file equivalents.
Parameters Command-Line Syntax Option File Syntax
Source domain /SD:"source_domain" SourceDomain="source_domain"
Target domain /TD:"target_domain" TargetDomain="target_domain"
Security translation options
/TOT:REPLACE TranslateOption=REPLACE
Modify local user profile security
/TUP:YES TranslateUserProfiles=YES
3. Review the results that are displayed on the screen for any errors. After the wizard completes, click View Migration Log to see the list of computers, completion status, and the path to the log file for each computer. If an error is reported for a computer, you will need to refer to the log file on that computer to review any problems with local groups. The log file for each computer is named MigrationTask#_ComputerName.log and is stored in the
Windows\ADMT\Logs\Agents folder.
To translate local user profiles by using a script
• Prepare a script that incorporates ADMT commands and options for translating local user profiles by using the sample script shown in the following listing. Copy the script to Notepad, and save the file with a .wsf file name extension in the same folder as the AdmtConstants.vbs file.
<Job id=" TranslatingLocalProfilesBetweenForests" >
<Script language="VBScript" src="AdmtConstants.vbs" />
<Script language="VBScript" >
Option Explicit
Dim objMigration
Dim objSecurityTranslation
'
'Create instance of ADMT migration objects.
'
Set objMigration = CreateObject("ADMT.Migration" )
Set objSecurityTranslation = objMigration.CreateSecurityTranslation
'
'Specify general migration options.
'
objMigration.SourceDomain = "source domain"
objMigration.TargetDomain = "target domain"
objMigration.TargetOu = "Computers"
'
'Specify security translation specific options.
'
objSecurityTranslation.TranslationOption = admtTranslateReplace objSecurityTranslation.TranslateUserProfiles = True
'
'Perform security translation on specified computer objects.
'
objSecurityTranslation.Translate admtData, _ Array("computer name1" ,"computer name2" )
Set objSecurityTranslation = Nothing Set objMigration = Nothing
</Script>
</Job>