The Managed Service Account Information page of the Computer Migration Wizard in the Active Directory Migration Tool (ADMT) displays the managed service accounts that are installed on the computers that you have selected to migrate. For those managed service accounts, you can specify whether to update the Service Control Manager (SCM). You can use the Skip/Include button to select individual managed service accounts for which you want to update the SCM on a computer that will be migrated to the target domain.
Only managed service accounts that were previously migrated are able to be updated on the SCM of the migrated computer. For those managed service accounts, the status indicates they are migrated. If managed service accounts appear with status of Not Migrated, they are marked as Skip for the purpose of updating the SCM and they cannot be marked as Include. To include them, you need to stop the Computer Migration Wizard, migrate the managed service accounts with the Managed Service Account Migration Wizard or the admt managedserviceaccount command, and then retry the computer migration.
If no managed service accounts are installed on any computers selected in the Computer Migration Wizard, the Managed Service Account Information page does not appear.
|
Caution |
|
You should include only those managed service accounts that trusted administrators manage. Do not use the wizard to include managed service accounts on computers that trusted administrators do not manage, such as workstations. For more information, see Identifying Service Accounts for Your Migration (http://go.microsoft.com/fwlink/?LinkId=183035). |
Security information for installing managed service accounts on migrated computers
If you migrate a computer that has managed service accounts installed and you have migrated the managed service accounts, ADMT installs the managed service accounts on the computer after it is migrated to the target domain. Before ADMT installs a managed service account, it changes the security descriptor on the account to grant permissions to the target computer to reset the password and modify the userAccountControl attribute. The change to the security descriptor is necessary for installing the managed service accounts.
The Computer Migration Wizard then instructs the remote service on the target computer to install the managed service account. The installation succeeds because the computer has elevated permissions. After all computer migrations are complete, including multiple target computers running in parallel, the Computer Migration Wizard then revokes the security descriptor changes on the migrated managed service accounts before the Computer Migration Wizard finishes.
In the unlikely event that the Computer Migration Wizard crashes and has not revoked the security descriptor changes, all the target computers that have migrated managed service accounts installed still have elevated permissions to reset the password and modify userAccountControl attribute on the account.
While the computer has the elevated permissions, a network service on the computer may now have the ability to disable a managed service account. Therefore, it can launch a denial-of-service attack on the services that are running under the security context of that managed service account. The attacker may also use the managed service account credentials to access other data.
|
Note |
|
The risk is not as significant if a remote service on the target computer crashes. In this case, the Computer Migration Wizard has a time-out, and it revokes the security descriptor changes. |
To mitigate this risk, ADMT logs changes to the security descriptors of the migrated managed service accounts for reference. If the Computer Migration Wizard crashes before it revokes the security descriptor changes on the migrated managed service accounts, the Administrator should manually revoke these changes in Active Directory Domain Services (AD DS) to prevent the target computers from being granted elevated permissions to reset passwords and enable and disable the managed service accounts.
The changes to the security descriptors are logged in the computer migration log file that is named Migration<TaskID.log. The log file is located in the %windir%\ADMT\Logs folder on the computer that runs ADMT. The log messages and their descriptions are listed in the following table.
| Log message | The message is logged when … |
|---|---|
|
Security descriptor for managed service account '%1' now allows computer '%2' to reset its password and modify its userAccountControl attribute. |
ADMT successfully modifies the security descriptor of a managed service account. |
|
Security descriptor for managed service account '%1' was restored. |
ADMT successfully restores the security descriptor of a managed service account. |
|
Unable to modify security descriptor for managed service account '%1', hr=%2!lx!. Subsequent installation of this managed service account on computer '%3' will fail. |
ADMT fails to modify the security descriptor of a managed service account. |
|
Failed to restore security descriptor for managed service account '%1', hr=%2!lx!. |
ADMT fails to restore the security descriptor of a managed service account. |
To manually revoke the changes to the security descriptor, complete the following the procedure.
|
To revoke changes to the security descriptor of a migrated managed services account |
-
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
-
Click View, and then click Advanced Features.
-
Navigate to the container that has the managed service account, right-click the account, and then click Properties.
By default, managed service accounts are created in the Managed Service Accounts container.
-
Click the Security tab, and then click the access control entry for the computer object.
-
For Reset password, clear the Allow check box.
-
Click Advanced.
-
Click the access control entry for the computer object, click Edit, and then for Write userAccountCntrol, clear the Allow check box.
-
Click OK twice, click Apply, and then click OK again to close the Properties dialog box.
User Interface options on the Managed Service Account Information page
The Managed Service Account Information page has the following options:
- Update SCM for all managed service
accounts
Select this option to update the SCM for all managed service accounts that were previously migrated to the target domain and are installed on the computers that will be migrated. The Active Directory Migration Tool (ADMT) updates the SCM for all managed service accounts that you specify to be included when you click the Skip/Include button.
- Do not update SCM for any managed service
accounts
Select this option to prevent reinstallation of migrated managed service accounts on the migrated computer and subsequent updates to the SCM.