Migrates managed service accounts from a source domain that you specify to a target domain that you specify.

Admt managedserviceaccount is a command-line tool that is available in the Active Directory® Migration Tool (ADMT).

For examples of how you can use this command, see Examples.

Syntax

admt managedserviceaccount /n "<MSAName>"[ "<MSAName2>"] /sd:<SourceDomain> /td:<TargetDomain>
admt managedserviceaccount /n "<MSAName>"[ "<MSAName2>"] /o:<OptionFilename>

Parameters

Parameter Description

/{o|optionfile}:"<OptionFilename>"

Specifies to use an options file.

You can specify the following value for this parameter:

  • OptionFilename

    Specifies the name of the options file to use. This file contains a list of operations and parameters to use during the migration. You can specify only one option file name with this parameter. To specify more than one option file, list the parameter again for each additional option file.

/{if|intraforest}:{yes|no}

Specifies whether the migration is within a single forest.

You can specify the following values for this parameter:

  • yes

    Specifies that the migration is within a single forest.

  • no

    Specifies that the migration is between forests. This is the default setting.

/{sd|sourcedomain}:"<SourceDomain>"

Specifies the NetBIOS (Network Basic Input/Output System) or Domain Name System (DNS) name of the source domain from which to migrate objects.

/{sdc|sourcedomaincontroller}:"<SourceDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the source domain to use to migrate objects.

Note

Read-only domain controllers (RODCs) are not permitted to be used as the source domain controller.

/{so|sourceou}:"<OUName>"

Specifies the name of organizational unit (OU) in the source domain. You use this parameter only for Active Directory source domains.

/{td|targetdomain}:"<TargetDomain>"

Specifies the NetBIOS or DNS name of the target domain to which to migrate objects.

/{tdc|targetdomaincontroller}:"<TargetDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the target domain to use to migrate objects.

Note

RODCs are not permitted to be used as the target domain controller.

/{to|targetou}:"<OUName>"

Specifies the name of OU in the target domain. This parameter is required for both interforest and intraforest migrations.

/{mss|migratesids}: {yes|no}

Specifies whether the source managed service account security identifier (SID) migrates to the SID history of the target account.

You can specify the following values for this parameter:

  • yes

    Migrates the SID from the source managed service account and adds the SID to the SID history of the target account.

  • no

    Does not migrate SIDs. This is the default setting.

Note

You can only do SID history migration on a domain controller where credentials are implicit. There is no parameter to supply them when using this command-line syntax at a member server.

/{uur|updateuserrights}: {yes|no}

Specifies whether to set the user rights of the target account to match the user rights of the source managed service account.

You can specify the following values for this parameter:

  • yes

    Changes the user rights of the target account to match the user rights of the source managed service account.

  • no

    Does not translate the roaming profile when ADMT migrates the account. This is the default setting.

/{mgs|migrategroups}: {yes|no}

Specifies whether to migrate to the target domain the groups of which the source managed service account is a member. When ADMT uses this parameter to migrate a group, it does not migrate group members.

You can specify the following values for this parameter:

  • yes

    Migrates groups of which the source managed service account is a member when ADMT migrates the user account.

  • no

    Does not migrate groups that are associated with the managed service account. This is the default setting.

/{umo|updatepreviouslymigratedobjects}: {yes|no}

Specifies whether to migrate groups again during this migration that ADMT migrated previously. ADMT performs this operation only when you specify the yes value with the /migrategroups parameter during subsequent migration operations.

You can specify the following values for this parameter:

  • yes

    Migrates groups again during the current migration operation that ADMT migrated previously.

  • no

    Does not migrate groups again during the current migration operation. This is the default setting.

Note

If a group that ADMT migrated previously has since been removed from the target domain, you must specify a no value to migrate the group again.

/{fgm|fixgroupmembership}: {yes|no}

Specifies whether to add migrated managed service accounts to target domain groups if those managed service accounts were members of groups that ADMT migrated from the source domain.

You can specify the following values for this parameter:

  • yes

    Verifies group membership in the source domain, and then adds the migrated account to those same groups in the target domain. This is the default setting.

  • no

    Does not add the managed service account that ADMT migrated to groups in the target domain.

/{n|includename} "<MSAName>" ["<MSAName2>"]

Specifies a managed service account or a list of managed service accounts to migrate.

You can specify the following value for this parameter:

  • MSAName

    Specifies the name of the managed service account to migrate. Separate each managed service account name from the next one with a space.

/{f|includefile}: <FileName>

Specifies the name of a file that contains a list of managed service accounts to migrate.

You can specify the following value for this parameter:

  • FileName

    Specifies the name of the include file, which can contain the Microsoft Windows NT Security Accounts Manager (SAM) account name, relative distinguished name (also known as RDN), or canonical (CN=) name of the account. You can specify only one file with this parameter.

/{d|includedomain}: [recurse]

Specifies an entire source domain or OU of accounts. This parameter specifies to enumerate the source OU for managed service accounts. If you do not specify the source OU, ADMT enumerates the entire source domain.

You can specify the following value for this parameter:

  • recurse

    Migrates child containers and the accounts that they contain.

/{en|excludename} "<MSAName>" ["<MSAName2>"]

Specifies which managed service accounts to exclude from migration.

You can specify the following value for this parameter:

  • MSAName

    Specifies the name of the managed service account to exclude from migration. Place each managed service account name in quotation marks, and separate each managed service account name from the next one with a space. By default, ADMT migrates all managed service account accounts in a domain or OU that you specify. You can use a maximum of two wildcard characters (*) for each name in the file. You can use wildcard characters at the beginning or end of a string, or at both the beginning and end of the string.

/{ef|excludefile}: <FileName>

Specifies the name of a file that contains the list of managed service accounts to exclude from the current migration operation.

You can specify the following value for this parameter:

  • Filename

    Specifies the name of the exclude file, which can contain the NetBIOS names or the relative distinguished names of the accounts to exclude. You can specify only one file with this parameter. You can use a maximum of two wildcard characters (*) for each name in the exclude file. Although you cannot include wildcard characters in the name itself, you can include them at the beginning or end of a string, or at both the beginning and end of the string.

Remarks

In addition to the admt managedserviceaccount command-line tool, you can use the User Account Migration Wizard to migrate managed service accounts from a source domain that you specify to a target domain that you specify.

Examples

The following example migrates a managed service account named SQL-Srv1 from the CONTOSO domain to the TREYRESEARCH domain.

admt managedserviceaccount /n "SQL-Srv1" /sd:CONTOSO /td:TREYRESEARCH

The following example migrates managed service accounts by using an include file that is located at C:\temp\MyListOfAccounts.txt.

admt managedserviceaccount /o:C:\temp\MyListOfAccounts.txt