ADMT Series – 6. Service Account Migration Wizard

The Service Account Migration Wizard will identify, migrate and update services that run in the context of a domain user account. ADMT does not migrate services running under the Local System account as they are migrated automatically when the computer is migrated. The Local Service and Network Service accounts are not migrated, because they are well-known accounts that always exist in domains.

When you run the Migrate Service Account Wizard, you are asked to select the computers you wish to scan for service account flagging. You can either search for computers on the domain, or provide an include file (text file with new computer objects separated by a line break). The wizard will then deploy the ADMT agent to the selected computers and scan for services running in the context of a domain user account. After the scan is complete, you will be presented with a list of services and service accounts.

The Service Account Migration Wizard doesn’t migrate any service accounts, nor does it make any changes to the services running under the computers you choose. It’s simply to flag the service accounts in the ADMT database.

To migrate the service account and update the service with the migrated user (in the target domain), you need to run the User Migration Wizard and select the Service Accounts highlighted in the process above. This doesn’t need to be done straight away and can be part of the User Migration Process. For this demo I will carry out the complete process so you can see what happens to the services.

This step isn’t mandatory, and you would typically only run this against your servers (see the security concerns at the bottom of this post). You may find if you have a small number of servers you would want to do this manually with a re-jig of your service accounts. Or perhaps the target domain has a different policy for service accounts, be that a naming scheme or how they are used.

Identifying Service Accounts

On XP1.source.local I’ve changed two of the services to run under domain user accounts.

From the ADMT machine, run ADMT and select Service Account Migration Wizard.

Select the source and target domain, you can also select which specific domain controller to use.

Choose Yes, update the information.

Select computers from the domain or use an include file.

Select the computers you wish to identify service accounts on.

Run the pre-check, it should Pass fairly quickly- if it fails it’s normally a permissions issue, so check your permissions on the source machine.

Once the pre-run has been checked and passed, run the pre-check and agent operation.

Once it’s successful you can view the agent detail and log, here we can see it listing the services and service users.

The Accounts Marked as Service Accounts are shown.

Finish. The accounts chosen are now marked in the ADMT database as Service Accounts.

You can view the flagged Service Accounts under the Services Table in the ADMT Database.

Migrating the Service Accounts and Updating the Service

This doesn’t have to be done straight away, it can also be part of the main user migration progress.

Run the User Account Migration Wizard in ADMT

Choose the source and target domain.

Select the service account users from the domain or include file.

Select an OU for the service user accounts to be migrated to.

Choose Generate complex passwords, you will be unable to migrate the password as the account as been flagged as a service account.

Keep the default settings.

Provide administrative credentials.

Make sure only Update user rights is ticked.

You can exclude particular attributes of the user object here.

Conflict management, if you are unsure if a user with the same name exists in the target domain leave the default setting in place.

As the user account has been flagged as a service account you will get the option to migrate all service accounts and to update SCM (service control manager).

Select Finish.

View the migration progress, once finished you can view the log. Check for any errors. Select Close.

You can see that the service account user has been migrated into the target domain.

The service has been updated with the migrated service account.

Before:

After (we only migrated the ServiceAccount user):

Security Concerns

The Service Migration Wizard never migrates passwords into the target domain, instead they are given clear-text passwords which enables ADMT to configure and update the services after the services account migration. An encrypted version of the password is stored in the password.txt file within the ADMT installation directory.

It is recommend that you only migrate service accounts on servers that trusted administrators manage. The reason for this is that an administrator of a workstation or server can install a service and configure it to use any domain account. A malicious user could configure a service to use a privileged domain user account with an incorrect password, after the service account is migrated a new password would be generated and the service account updated with the migrated user and correct password allowing the service to run.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s