Migrates computer accounts between Active Directory domains and forests.

The admt computer command-line tool is available in the Active Directory Migration Tool (ADMT). To run admt computer, at the command prompt, type admt computer with the appropriate parameters, and then press ENTER.

For examples of how to use this command, see Examples.

Syntax

admt computer /n "<ComputerName>"[ "<ComputerName2>"] /sd:<SourceDomain> /td:<TargetDomain>

Parameters

Parameter Description

/{n|includename} "<ComputerName>" ["<ComputerName2>"]

Specifies a computer or a list of computers to migrate.

You can specify the following value for this parameter:

  • ComputerName

    Specifies the name of the computer to migrate. Place the name of the computer in quotation marks. Separate one computer name from the next name with a space.

/{sd|sourcedomain}:"<SourceDomain>"

Specifies the NetBIOS or Domain Name System (DNS) name of the source domain from which you want to migrate objects.

/{td:targetdomain}:"<TargetDomain>"

Specifies the NetBIOS or DNS name of the target domain to which to migrate objects.

/{o|optionfile}:"<OptionFilename>"

Specifies to use an options file.

You can specify the following value for this parameter:

  • OptionFilename

    Specifies the name of the options file to use. This file contains a list of operations and parameters to use during the migration. You can specify only one options file name with the admt computer optionfile command. To specify more than one options file name, list the parameter again for each additional option file.

/{if/intraforest}:{yes|no}

Specifies whether the migration occurs within a single forest.

You can specify the following values for this parameter:

  • yes

    Specifies that the migration occurs within a single forest.

  • no

    Specifies that the migration occurs between forests. This is the default setting.

/{so|sourceou}:"<OUName>"

Specifies the name of organizational unit (OU) in the source domain. You can specify this parameter only for Active Directory source domains.

/{to|targetou}:"<OUName>"

Specifies the name of the OU in the target domain. This parameter is required for both interforest and intraforest migrations.

/{sdc|sourcedomaincontroller}:"<SourceDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the source domain to use for object migration.

Note

Read-only domain controllers (RODCs) are not permitted to be used as the source domain controller.

/{tdc|targetdomaincontroller}:"<TargetDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the target domain to use for object migration.

Note

Read-only domain controllers (RODCs) are not permitted to be used as the target domain controller.

/{pre|precheckonly}: {yes|no}

Verifies that agent deployment succeeds before ADMT performs the migration.

You can specify the following values for this parameter:

  • yes

    Performs a precheck operation.

  • no

    Does not perform a precheck operation. This is the default setting.

/{tot|translationoption}: {replace|add|remove}

Specifies how to migrate security identifiers (SIDs) between computers so that ADMT can perform security translation on a migrated computer.

You can specify the following values for this parameter:

  • replace

    Changes the SID of the migrated computer on all access control lists (ACLs) and system access control lists (SACLs) to match the target domain. This is the default setting.

  • add

    Adds the target domain SIDs to the existing source domain SIDs when ADMT migrates the computer.

  • remove

    Deletes the source domain SID from the migrated computer, and does not add the SIDs from the target domain.

/{tot|translationoption}: {replace|add|remove}

Specifies how to migrate SIDs between computers so that ADMT can perform security translation on a migrated computer.

You can specify the following values for this parameter:

  • replace

    Changes the SID of the migrated computer on all access control lists (ACLs) and system access control lists (SACLs) to match the target domain. This is the default setting.

  • add

    Adds the target domain SIDs to the existing source domain SIDs when ADMT migrates the computer.

  • remove

    Deletes the source domain SID from the migrated computer, and does not add the SIDs from the target domain.

/{tff|translatefilesandfolders}: {yes|no}

Specifies whether to update ACLs for files and folders during migration.

You can specify the following values for this parameter:

  • yes

    Updates the ACLs for files and folders when ADMT migrates this computer.

  • no

    Does not update the ACLs for files and folders when ADMT migrates this computer. This is the default setting.

/{tlg|translatelocalgroups}: {yes|no}

Specifies whether to update ACLs for local groups during migration.

You can specify the following values for this parameter:

  • yes

    Updates the ACLs for local groups when ADMT migrates this computer.

  • no

    Does not update the ACLs for local groups when ADMT migrates this computer. This is the default setting.

/{tps|translateprinters}: {yes|no}

Specifies whether to update ACLs for printer shares during migration.

You can specify the following values for this parameter:

  • yes

    Updates the ACLs for printer shares when ADMT migrates this computer.

  • no

    Does not update the ACLs for printer shares when ADMT migrates this computer. This is the default setting.

/{trg|translateregistry}: {yes|no}

Specifies whether to update ACLs for registry settings during migration.

You can specify the following values for this parameter:

  • yes

    Updates ACLs for the registry when ADMT migrates this computer.

  • no

    Does not update the ACLs for the registry when ADMT migrates this computer. This is the default setting.

/{tss|translateshares}: {yes|no}

Specifies whether to update ACLs for shared resources during migration.

You can specify the following values for this parameter:

  • yes

    Updates ACLs for the shared resources when ADMT migrates this computer.

  • no

    Does not update the ACLs for the shared resources when ADMT migrates this computer. This is the default setting.

/{tup|translateuserprofiles}: {yes|no}

Specifies whether to update ACLs for user profiles during migration.

You can specify the following values for this parameter:

  • yes

    Updates ACLs for user profiles when ADMT migrates this computer.

  • no

    Does not update the ACLs for user profiles when ADMT migrates this computer. This is the default setting.

/{tur|translateuserrights}: {yes|no}

Specifies whether to update ACLs for user rights during migration.

You can specify the following values for this parameter:

  • yes

    Updates ACLs for user rights when ADMT migrates this computer.

  • no

    Does not update the ACLs for user rights when ADMT migrates this computer. This is the default setting.

/{co|conflictoptions}: {ignore|merge[+removeuserrights] [+removemembers]|[+movemergedaccounts]}

Specifies an action for ADMT to take when it finds that an object name already exists in the target domain.

You can specify the following values for this parameter:

  • ignore

    Does not migrate the account that already exists in the target domain, and proceeds with the rest of the migration. This is the default setting.

  • merge

    Replaces the account that already exists in the target domain with the account from the source domain.

  • +removeuserrights

    Removes existing user rights from the target account. You use this parameter with the merge setting.

  • +removemembers

    Removes all existing members from the target group before merging the source group with the target group. You use this parameter with the merge setting.

  • +movemergedaccounts

    Causes ADMT to move the account from the original OU to the target OU that you specify for the current migration operation, if ADMT finds that the OU for a previously migrated account has changed the setting. You use this value with the merge value.

/{rdl|restartdelay}: <Minutes>

Specifies the number of minutes that the computer waits before it restarts after the migration finishes.

You can specify the following value for this parameter:

  • Minutes

    Specifies a number of minutes from 1 through 10. The default setting is 5 minutes.

/{cx|computerpropertiestoexclude}: {*|"<Property>"|"<Property1>"[, "<Property2>"]..."}

Specifies the properties to exclude when ADMT migrates a computer.

You can specify the following value for this parameter:

  • Property

    Specifies the property to exclude. You can list multiple properties. Separate each property with a comma, and place all properties in a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.

/{prrtry|autoprecheckretry}: {yes|no}

Specifies to retry the precheck operation to a remote computer automatically if the operation failed.

You can specify the following values for this parameter:

  • yes

    Retries the precheck operation.

  • no

    Does not retry the precheck operation. This is the default setting.

/{prrtryi|autoprecheckretryinterval}: <Minutes>

Specifies the number of minutes between each precheck retry operation.

You can specify the following value for this parameter:

  • Minutes

    Specifies a number of minutes from 1 through 1440. The default setting is 30 minutes.

ADMT uses this parameter only if the value of the /prrtry command is yes.

/{prrtryn|autoprecheckretrynumber}: <Number>

Specifies the number of times to retry the precheck retry operation.

You can specify the following value for this parameter:

  • Number

    Specifies a number from 1 through 20000. The default setting is 48.

ADMT uses this parameter only if the value of the /prrtry command is yes.

/{portry|autopostcheckretry}: {yes|no}

Verifies that the computer has restarted and joined successfully to the new domain after the postcheck retry operation finishes successfully.

You can specify the following values for this parameter:

  • yes

    Retries the postcheck operation.

  • no

    Does not retry the postcheck operation. This is the default setting.

/{portryi|autopostcheckretryinterval}: <Minutes>

Specifies the number of minutes between each postcheck retry operation.

You can specify the following value for this parameter:

  • Minutes

    Specifies a number of minutes from 1 through 60. The default setting is 5 minutes.

ADMT uses this parameter only if the value of the /portry command is yes.

/{portryn|autopostcheckretrynumber}: <Number>

Specifies the number of times to retry the postcheck retry operation.

You can specify the following value for this parameter:

  • Number

    Specifies a number from 1 through 100. The default setting is 2.

ADMT uses this parameter only if the value of the /portry command is yes.

/{f|includefile}: <FileName>

Specifies the name of a file that contains a list of computers to migrate.

You can specify the following value for this parameter:

  • FileName

    Specifies the name of the include file. This file can contain the Windows NT Security Accounts Manager (SAM) account name, relative distinguished name (also known as RDN), or canonical (CN=) name of the account.

You can specify only one file with this parameter.

/{d|includedomain}: [recurse [+{<flatten>|maintain}]]

Specifies an entire source domain or OU of accounts.

You can specify the following values for this parameter:

  • recurse

    Specifies how to migrate listed domains or OUs. If you do not use +flatten or +maintain with recurse, the default setting is +flatten.

  • +flatten

    Migrates accounts in the parent and child containers into only one target container. The accounts in the child container migrate, but the child containers themselves do not migrate.

  • +maintain

    Migrates child containers and the accounts that they contain.

/{en|excludename} "<ComputerName>" ["<ComputerName2>"]

Specifies computers to exclude from the migration.

You can specify the following value for this parameter:

  • ComputerName

    Specifies the name of the computer to exclude from migration. You can specify multiple computers to exclude. Place each computer name in quotation marks, and separate each name from the next one with a space. By default, ADMT migrates all computers in a domain or OU that you specify. You can use a maximum of two wildcard characters (*) in each name that appears in the file. You can use wildcard characters at the beginning or end of a string, or at both the beginning and end.

/{ef|excludefile}: <FileName>

Specifies the name of a file that contains the list of computers to exclude from the current migration operation.

You can specify the following value for this parameter:

  • Filename

    Specifies the name of the exclude file. This file can contain the NetBIOS names or the Windows 2000 relative distinguished names of the computers to exclude. You can specify only one file with this parameter. You can use a maximum of two wildcard characters (*) for each name in the exclude file. Although you cannot include wildcard characters in the name itself, you can include them at the beginning or end of a string, or at both the beginning and end of the string.

[/{UALLMSA | UPDATEALLMANAGEDSERVICEACCOUNTS}:{YES | <NO>}

Specifies whether all previously migrated managed service accounts will be reinstalled on the migrated computer and the Service Control Manager (SCM) will be subsequently updated.

You can specify the following values for this parameter:

  • yes

    Reinstalls all migrated managed service accounts on the target computer and updates the SCM.

  • no

    Does not reinstall all migrated managed service accounts on the target computer or update the SCM.

[/{M | UPDATEMSANAME} “name 1” “name 2”…]

Specifies a managed service account or a list of managed service accounts to be reinstalled on the migrated computer and whether the SCM will be subsequently updated.

You can specify the following value for this parameter:

  • name 1

    Specifies the name of the managed service account to reinstall. Place the name of the managed service account in quotation marks. Separate one managed service account name from the next name with a space.

Remarks

In addition to the admt computer command-line tool, you can use the Computer Migration Wizard to migrate workstations and member servers from a source domain that you specify to a target domain that you specify. For more information, see Computer Migration Wizard.

Examples

The following example migrates a computer named WORKSTATION1 from the CONTOSO domain to the TREYRESEARCH domain.

admt computer /n "WORKSTATION1" /sd:CONTOSO /td:TREYRESEARCH

The following example migrates computers that use an include file that is located at C:\temp\MyListOfComputers.txt.

admt computer /o:C:\temp\MyListOfComputers.txt