ADMT Series – 7. Group Account Migration Wizard

Universal, global and domain local groups can be migrated with the ADMT tool. Each group type has different rules for membership, and each group type serves a different purpose. This affects the order that the groups are migrated from the source to the target domains.


Universal groups
Universal groups can contain members from any domain in the forest, and they can replicate group membership to the global catalog. Therefore, you can use them for administrative groups. When you restructure domains, migrate universal groups first

Global groups
Global groups can include only members from the domain to which they belong. Create global groups to organize users. Global groups should be migrated second.

Domain local groups
Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the group type to universal group. This minimizes the disruption in user access to resources. Migrate Domain Local groups last.

In this example we will migrate a global security group and a domain local security group which is the member of the global group.

Migrating Global Groups

From the ADMT machine, run ADMT and select Group Account Security Wizard.

Select the source and target domain, you can also select which specific domain controller to use.

Select groups from the domain or use an include file.

Select the global groups you wish to migrate.

Select the target OU.

When migrating groups, only tick Fix membership of group and migrate group SIDs to target domain. If you choose Copy Group Members, this will migrate the AD users within the group, you do not want to do that at this stage

Fix membership of group. Select this option to add migrated user accounts to target domain groups if the user accounts were members of those groups in the source domain.

Migrate group SIDs to target domain – Select this option to add the security identifiers (SIDs) of the migrated group accounts in the source domain to the SID history of the new group accounts in the target domain. This option uses a secure connection to the source domain controller.

Enter source domain credentials to add SID history.

You can exclude particular attributes of the group here.

Conflict management, if you are unsure if a group with the same name exists in the target domain leave the default setting in place.

Click Finish

The Global security group should now be migrated to the target domain (with no members).

Migrating Local Groups

Follow the same process as above, but select the local groups you wish to migrate. You’ll notice that when you open the Local group in ADUC the Global group you migrated earlier will have been added.

What about the users?

The User accounts will be added to the relevant groups when you perform the user account migration (next part of the series).


One thought on “ADMT Series – 7. Group Account Migration Wizard

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s