Migrates user accounts and service accounts from a source domain that you specify to a target domain that you specify.

Admt user is a command-line tool that is available in the Active Directory Migration Tool (ADMT).

For examples of how this command can be used, see Examples.

Syntax

admt user /n "<UserName>"[ "<UserName2>"] /sd:<SourceDomain> /td:<TargetDomain>
admt user /n "<UserName>"[ "<UserName2>"] /o:<OptionFilename>

Parameters

Parameter Description

/{o|optionfile}:"<OptionFilename>"

Specifies to use an options file.

You can specify the following value for this parameter:

  • OptionFilename

    Specifies the name of the options file to use. This file contains a list of operations and parameters to use during the migration. You can specify only one option file name with this parameter. To specify more than one option file, list the parameter again for each additional option file.

/{if|intraforest}:{yes|no}

Specifies whether the migration is within a single forest.

You can specify the following values for this parameter:

  • yes

    Specifies that the migration is within a single forest.

  • no

    Specifies that the migration is between forests. This is the default setting.

/{sd|sourcedomain}:"<SourceDomain>"

Specifies the NetBIOS or Domain Name System (DNS) name of the source domain from which to migrate objects.

/{sdc|sourcedomaincontroller}:"<SourceDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the source domain to use to migrate objects.

Note

Read-only domain controllers (RODCs) are not permitted to be used as the source domain controller.

/{so|sourceou}:"<OUName>"

Specifies the name of organizational unit (OU) in the source domain. You use this parameter only for Active Directory source domains.

/{td|targetdomain}:"<TargetDomain>"

Specifies the NetBIOS or DNS name of the target domain to which to migrate objects.

/{tdc|targetdomaincontroller}:"<TargetDomainControllerName>"

Specifies the NetBIOS or DNS name of the domain controller in the target domain to use to migrate objects.

Note

Read-only domain controllers (RODCs) are not permitted to be used as the target domain controller.

/{to|targetou}:"<OUName>"

Specifies the name of OU in the target domain. This parameter is required for both interforest and intraforest migrations.

/{po|passwordoption}: {complex|copy [+notexisting]}

Determines how ADMT sets the password for the newly created account in the target domain.

Note

When ADMT migrates service accounts, it generates a complex password automatically, regardless of the value that you specify for this parameter in the admt user command-line tool or the User Account Migration Wizard.

You can specify the following values for this parameter:

  • complex

    Generates a random password that contains a combination of uppercase and lowercase letters, numbers, and symbols. This is the default setting.

  • copy

    Migrates the existing password from the source domain.

  • +notexisting

    Does not update passwords for existing users.

/{ps|passwordserver}:"<ServerName>"

Specifies the name of the source domain controller that hosts the Password Export Server (PES) service. Enclose the server name in quotation marks.

/{pf|passwordfile}:"<FileName>"

Specifies the path and name of the password file that ADMT creates. You specify this parameter only when you use the complex parameter with the /passwordoption parameter. Enclose the entire path in quotation marks.

/{dot|disableoption}:{[disablesource+] enabletarget|disabletarget|<targetsameassource>}]

Determines which account, if any, to disable after migration.

You can specify the following values for this parameter:

  • disablesource+

    Disables the accounts in the source domain after ADMT migrates those accounts successfully to the target domain.

  • enabletarget

    Enables the accounts in the target domain so that ADMT can use them immediately. This is the default setting.

  • disabletarget

    Disables the target accounts after the migration finishes.

  • targetsameassource

    Matches the state of the target account to the state of the source user account. This is the default setting.

/{sep|sourceexpiration}: {none|<Days>}

Defines the number of days that the source user account is valid before it expires.

You can specify the following values for this parameter:

  • none

    Specifies that the source user account does not expire. This is the default setting.

  • Days

    Specifies the number of days (1 through 1095) that ADMT waits after the migration finishes before it disables the source user account.

/{mss|migratesids}: {yes|no}

Specifies whether the source user account security identifier (SID) migrates to the SID history of the target account.

You can specify the following values for this parameter:

  • yes

    Migrates the SID from the source user account and adds the SID to the SID history of the target account.

  • no

    Does not migrate SIDs. This is the default setting.

Note

You can only do SID history migration on a domain controller where credentials are implicit. There is no parameter to supply them when using this command-line syntax at a member server.

/{trp|translateroamingprofile}: {yes|no}

Specifies whether to translate the roaming profile from the source user account to the target user account. This parameter also associates the target user account with the roaming profile.

You can specify the following values for this parameter:

  • yes

    Translates the roaming profile when ADMT migrates the account. This parameter also associates the target account with the roaming profile.

  • no

    Does not translate the roaming profile when ADMT migrates the account. This is the default setting.

/{uur|updateuserrights}: {yes|no}

Specifies whether to set the user rights of the target account to match the user rights of the source user account.

You can specify the following values for this parameter:

  • yes

    Changes the user rights of the target account to match the user rights of the source user account.

  • no

    Does not translate the roaming profile when ADMT migrates the account. This is the default setting.

/{mgs|migrategroups}: {yes|no}

Specifies whether to migrate to the target domain the groups of which the source user is a member. When ADMT uses this parameter to migrate a group, it does not migrate group members.

You can specify the following values for this parameter:

  • yes

    Migrates groups of which the source user is a member when ADMT migrates the user account.

  • no

    Does not migrate groups that are associated with the user account. This is the default setting.

/{umo|updatepreviouslymigratedobjects}: {yes|no}

Specifies whether to migrate groups again during this migration that ADMT migrated previously. ADMT performs this operation only when you specify the yes value with the /migrategroups parameter during subsequent migration operations.

You can specify the following values for this parameter:

  • yes

    Migrates groups again during the current migration operation that ADMT migrated previously.

  • no

    Does not migrate groups again during the current migration operation. This is the default setting.

Note

If a group that ADMT migrated previously has since been removed from the target domain, you must specify a no value to migrate the group again.

/{fgm|fixgroupmembership}: {yes|no}

Specifies whether to add migrated users to target domain groups if those users were members of groups that ADMT migrated from the source domain.

You can specify the following values for this parameter:

  • yes

    Verifies group membership in the source domain, and then adds the migrated account to those same groups in the target domain. This is the default setting.

  • no

    Does not add the user account that ADMT migrated to groups in the target domain.

/{msa|migrateserviceaccounts}: {yes|no}

Specifies whether user accounts that the Service Account Migration Wizard identifies as service accounts should also migrate.

You can specify the following values for this parameter:

  • yes

    Migrates user accounts that the Service Account Migration Wizard identifies as service accounts. This is the default setting.

  • no

    Does not migrate user accounts that the Service Account Migration Wizard identifies as service accounts.

/{co|conflictoptions}: {ignore|merge [+removeuserrights] [+removemembers]|[+movemergedaccounts]}

Specifies an action for ADMT to take when it finds that an object name already exists in the target domain.

You can specify the following values for this parameter:

  • ignore

    Does not migrate the account that already exists in the target domain and continues the migration. This is the default setting.

  • merge

    Replaces the account that already exists in the target domain with the account from the source domain.

  • +removeuserrights

    Removes existing user rights from the target account. You can use this value with the merge value.

  • +removemembers

    Removes all existing members from the target group before ADMT merges the source group with the target group. You can use this value with the merge value.

  • +movemergedaccounts

    Moves the account from the original OU to the target OU that you specify for the current migration operation if ADMT finds that an OU for a previously migrated account has changed. You can use this value with the merge value.

/{ux|userpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}

Specifies properties to exclude when ADMT migrates a user account.

You can specify the following value for this parameter:

  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify a wildcard character (*) only to exclude all properties.

/{ix|inetorgpersonpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}

Specifies properties to exclude when ADMT migrates an inetOrgPerson account.

You can specify the following value for this parameter:

  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify a wildcard character (*) only to exclude all properties.

/{gx|grouppropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}

Specifies properties to exclude when ADMT migrates a group account.

You can specify the following value for this parameter:

  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify a wildcard character (*) only to exclude all properties.

/{n|includename} "<UserName>" ["<UserName2>"]

Specifies a user or a list of users to migrate.

You can specify the following value for this parameter:

  • UserName

    Specifies the name of the user to migrate. Place the name of the computer in quotation marks. Separate each user name from the next one with a space.

/{f|includefile}: <FileName>

Specifies the name of a file that contains a list of users to migrate.

You can specify the following value for this parameter:

  • FileName

    Specifies the name of the include file, which can contain the Windows NT Security Accounts Manager (SAM) account name, relative distinguished name (as known as RDN), or canonical (CN=) name of the account. You can specify only one file with this parameter.

/{d|includedomain}: [recurse [+{<flatten>|maintain}]]

Specifies an entire source domain or OU of accounts. This parameter specifies to enumerate the source OU for service accounts or user accounts. If you do not specify the source OU, ADMT enumerates the entire source domain.

You can specify the following values for this parameter:

  • recurse

    Specifies how to migrate listed domains or OUs. If you do not specify the +flatten value or the +maintain value with recurse, ADMT uses +flatten as the default value.

  • +flatten

    Migrates accounts in the parent and child containers into only one target container. The accounts in the child container migrate, but the child containers do not migrate.

  • +maintain

    Migrates child containers and the accounts that they contain.

/{en|excludename} "<UserName>" ["<UserName2>"]

Specifies which users to exclude from migration.

You can specify the following value for this parameter:

  • UserName

    Specifies the name of the user to exclude from migration. Place each user name in quotation marks, and separate each user name from the next one with a space. By default, ADMT migrates all user accounts in a domain or OU that you specify. You can use a maximum of two wildcard characters (*) for each name in the file. You can use wildcard characters at the beginning or end of a string, or at both the beginning and end of the string.

/{ef|excludefile}: <FileName>

Specifies the name of a file that contains the list of users to exclude from the current migration operation.

You can specify the following value for this parameter:

  • Filename

    Specifies the name of the exclude file, which can contain the NetBIOS names or the Windows 2000 relative distinguished names of the accounts to exclude. You can specify only one file with this parameter. You can use a maximum of two wildcard characters (*) for each name in the exclude file. Although you cannot include wildcard characters in the name itself, you can include them at the beginning or end of a string, or at both the beginning and end of the string.

Remarks

In addition to the admt user command-line tool, you can use the User Account Migration Wizard to migrate users from a source domain that you specify to a target domain that you specify.

Examples

The following example migrates a user named JohnSmith from the CONTOSO domain to the TREYRESEARCH domain.

admt user /n "JohnSmith" /sd:CONTOSO /td:TREYRESEARCH

The following example migrates users using an include file that is located at C:\temp\MyListOfComputers.txt.

admt user /o:C:\temp\MyListOfUsers.txt