Migrates group accounts for Active Directory domain migrations.

The admt group command-line tool is available in the Active Directory Migration Tool (ADMT). To run admt group, at the command prompt, type admt group with the appropriate parameters, and then press ENTER.

For examples of how to use this command, see Examples.

Syntax

admt group [options] /n "<GroupName1>" "<GroupName2>" {/sd:"<SourceDomain>" /td:"<TargetDomain>" | /o:"<OptionFilename>"}

Parameters

/n "<GroupName1>" "<GroupName2>"
Specifies the name of the group in the source domain and the target domain. You can specify the following values for this parameter:
  • GroupName1

    Specifies the name of the group in the source domain.

  • GroupName2

    Specifies the name of the group in the target domain.

/{sd|sourcedomain}:"<SourceDomain>"
Specifies the NetBIOS or Domain Name System (DNS) name of the source domain from which ADMT migrates objects.
/{td|targetdomain}:"<TargetDomain>"
Specifies the NetBIOS or DNS name of the target domain to which ADMT migrates objects.
/{o|optionfile}:"<OptionFilename>"
Specifies to use an options file. You can specify the following value for this parameter:
  • OptionFilename

    Specifies the name of the options file to use. This file contains a list of operations and parameters to use during the migration. You can specify only one option file name with the admt group optionfile command. To specify more than one options file name, list the parameter again for each additional option file.

/{if|intraforest}:{yes|no}
Specifies whether the migration occurs within a single forest. You can specify the following values for this parameter:
  • yes

    Specifies that the migration is within a single forest.

  • no

    Specifies that the migration is between forests. This is the default setting.

/{sdc|sourcedomaincontroller}:"<SourceDomainControllerName>"
Specifies the NetBIOS or DNS name of the domain controller in the source domain to use for object migration.
Note

Read-only domain controllers (RODCs) are not permitted to be used as the source domain controller.
/{tdc|targetdomaincontroller}:"<TargetDomainControllerName>"
Specifies the NetBIOS or DNS name of the domain controller in the target domain to use for object migration.
Note

Read-only domain controllers (RODCs) are not permitted to be used as the target domain controller.
/{so|sourceou}:"<OUName>"
Specifies the name of the organizational unit (OU) in the source domain. You can specify this parameter only for Active Directory source domains.
/{to|targetou}:"<OUName>"
Specifies the name of the OU in the target domain. This parameter is required for both interforest and intraforest migrations.
/{po|passwordoption}: {<complex>|copy} [+notexisting]
Specifies how ADMT sets the passwords of members of the group. This option is only in effect if the option to migrate group members (/mms) is also specified.
/{ps|passwordserver}:"<ServerName>"
Specifies the name of the source domain controller that hosts the Password Export Server (PES) service. This option is only in effect if the option to migrate group members (/mms) is also specified.You can specify the following value for this parameter:
  • ServerName

    Specifies the name of a source domain controller that hosts the PES service. Enclose the server name in quotation marks.

/{pf|passwordfile}: "<FileName>"
Specifies the path and name of the password file that ADMT creates. ADMT creates a password file only when you use the complex value with the /passwordoption command. This option is only in effect if the option to migrate group members (/mms) is also specified.You can specify the following value for this parameter:
  • FileName

    Specifies the path and name of the password output file. Enclose the entire path in quotation marks.

/{dot|disableoption}:{[disablesource+] enabletarget|disabletarget|<targetsameassource>}]
Determines which, if any, accounts to disable after migration.You can specify the following values for this parameter:
  • disablesource+

    Disables the accounts in the source domain after ADMT successfully migrates those accounts to the target domain.

  • enabletarget

    Enables the accounts in the target domain so that ADMT can use them immediately.

  • disabletarget

    Disables the target accounts after migration.

  • targetsameassource

    Matches the state of the target account to the state of the source account. This is the default setting.

/{sep|sourceexpiration}: {none|<Days>}
Defines the number of days that the source account is valid before it expires.You can specify the following values for this parameter:
  • none

    Specifies that the source account does not expire. This is the default setting.

  • Days

    Specifies the number of days (1 through 1095) that the system waits after the migration before it disables the source account.

/{mss|migratesids}: {yes|no}
Specifies whether the security identifier (SID) of the source account migrates to the SID history of the target account.You can specify the following values for this parameter:
  • yes

    Migrates the SID from the source account and adds the SID to the SID history of the target account.

  • no

    Does not migrate SIDs. This is the default setting.

/{trp|translateroamingprofile}: {yes|no}
Specifies whether to translate the roaming profile from the source account to the target account. This parameter also associates the target account with the roaming profile.You can specify the following values for this parameter:
  • yes

    Translates the roaming profile when ADMT migrates the account. This value associates the target account with the roaming profile.

  • no

    Does not translate the roaming profile when ADMT migrates the account. This is the default setting.

/{uur|updategrouprights}: {yes|no}
Specifies whether to set the group rights of the target account to match the group rights of the source account.You can specify the following values for this parameter:
  • yes

    Changes the group rights of the target account to match the group rights of the source account.

  • no

    Does not change the group rights of the target account. This is the default setting.

/{mms|migratemembers}: {yes|no}
Specifies whether to migrate the members of the source domain groups to the target domain.You can specify the following values for this parameter:
  • yes

    Migrates group members when ADMT migrates the group.

  • no

    Does not migrate group members when ADMT migrates the group account. This is the default setting.

/{umo|updatepreviouslymigratedobjects}: {yes|no}
Specifies whether to migrate groups again during this migration that ADMT migrated previously. ADMT performs this operation only when you specify the yes value with the admt user /migrategroups command during subsequent migration operations. For more information, see admt user.You can specify the following values for this parameter:
  • yes

    Migrates groups again during the current migration operation that ADMT migrated previously.

  • no

    Does not migrate groups again during the current migration operation. This is the default setting.

Note

If a group that ADMT migrated previously has since been removed from the target domain, you must specify this value to migrate the group again.
/{fgm|fixgroupmembership}: {yes|no}
Specifies whether to add migrated users to target domain groups if those users were members of groups that ADMT migrated from the source domain.You can specify the following values for this parameter:
  • yes

    Checks group membership in the source domain, and then adds the migrated account to those same groups in the target domain. This is the default setting.

  • no

    Does not add the migrated user account to groups in the target domain.

/{co|conflictoptions}: {ignore|merge [+removeuserrights] [+removemembers]|[+movemergedaccounts]}
Specifies an action for ADMT to take when ADMT finds that an object name already exists in the target domain.You can specify the following values for this parameter:
  • ignore

    Does not migrate the account that already exists in the target domain, and proceeds with the rest of the migration. This is the default setting.

  • merge

    Replaces the account that already exists in the target domain with the account from the source domain.

  • +removeuserrights

    Removes existing user rights from the target account. You use this value with the merge value.

  • +removemembers

    Removes all existing members from the target group before ADMT merges the source group with the target group. You use this value with the merge value.

  • +movemergedaccounts

    Causes ADMT to move the account from the original OU to the target OU that you specified for the current migration operation, if ADMT finds that a previously migrated account's OU has changed. You use this value with the merge value.

/{gx|grouppropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
Specifies properties to exclude when groups are migrated.You can specify the following value for this parameter:
  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.

/{ix|inetorgpersonpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
Specifies inetOrgPerson properties to exclude when a group account is migrated.You can specify the following value for this parameter:
  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.

/{ux|userpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
Specifies user properties to exclude when groups are migrated.You can specify the following value for this parameter:
  • Property

    Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.

/{n|includename}: "<Name>"[ "<Name2>"]...
Specifies a group or list of groups to migrate.You can specify the following value for this parameter:
  • Name

    Specifies the name of the group account or accounts to migrate. Enclose the name within quotation marks. Separate each name from the next name with a space.

/{f|includefile}: <FileName>
Specifies the name of a file that contains a list of groups to migrate.You can specify the following value for this parameter:
  • FileName

    Specifies the name of the include file. This file can contain the Windows NT Security Accounts Manager (SAM) account name, relative distinguished name (also known as RDN), or canonical name (CN=) of the group account. You can specify only one file with this parameter.

/{d|includedomain}: [recurse [+{<flatten>|maintain}]]
Specifies an entire source domain or OU of accounts.You can specify the following values for this parameter:
  • recurse

    Specifies how to migrate listed domains or OUs. If you do not specify the +flatten value or the +maintain value with recurse, ADMT uses +flatten as the default value.

  • +flatten

    Migrates accounts in the parent and child containers into only one target container. The accounts in the child container migrate, but the child containers do not migrate.

  • +maintain

    Migrates child containers and the accounts that they contain.

/{en|excludename} "Name"[ "Name2"]...
Specifies group accounts to exclude from the migration.You can specify the following value for this parameter:
  • Name

    Specifies the name of the group account or accounts to exclude from migration. You can specify multiple group accounts to exclude. Place each group account name in quotation marks, and separate each name from the next one with a space. By default, ADMT migrates all accounts in a domain or OU that you specify. You can use a maximum of two wildcard characters (*) for each name in the file. You can use wildcard characters at the beginning or end of a string, or at both the beginning and end.

/{ef|excludefile}: <FileName>
Specifies the name of a file that contains the list of groups to exclude from the current migration operation.You can specify the following value for this parameter:
  • FileName

    Specifies the name of the exclude file, which can contain the Windows NT SAM account names or the relative distinguished names of the accounts to exclude. You can specify only one file with this parameter. You can use a maximum of two wildcard characters for each name in the exclude file. Although you cannot include wildcard characters in the name itself, you can include them at the beginning or end of a string, or at both the beginning and end of the string.

Remarks

Configuring database administration roles

You can use database administration roles to assign a subset of permissions to users who perform specific migration tasks.

ADMT has the following database administration roles:

  • Account migrators:

    Perform tasks that are associated with account migrations, such as user and group migrations.

  • Resource migrators:

    Perform tasks that are associated with resource migrations, such as computer migrations and security translations. Account migrators also hold the role of resource migrators.

  • Data readers:

    Perform queries against the database. Account migrators and resource migrators also hold the role of data readers.

Users who hold the role of SQL Server system administrator hold all ADMT database administration roles. They have permissions to display database roles and the users who hold those roles, add groups or users to those roles, and remove groups or users from those roles. By default, ADMT assigns the role of system administrator to the local Administrators group, which can perform all ADMT database functions.

Configuring preferred domain controllers

ADMT provides the option for an administrator to select the source and target domain controller to use for a migration instead of having DC Locator select those controllers.

To use a preferred domain controller, you use the admt group command to configure it. You must configure source and target domain controllers independently. After you configure a preferred domain controller, ADMT determines its validity and availability and then uses that domain controller automatically every time that you run ADMT.

Examples

The following example lists all database roles and the members that are assigned to each role.

admt group getrolemembers

The following example adds a role member (JohnSmith from the CONTOSO domain) to the account migrators role.

admt group addrolemember /r:"Account Migrators" /a:CONTOSO\JohnSmith

The following example removes a role member (JohnSmith from the CONTOSO domain) from the account migrators role.

admt group removerolemember /r:"Account Migrators" /a:CONTOSO\JohnSmith

The following example configures a preferred domain controller (DC1) for the source domain that you specify (CONTOSO).

admt group setdomaincontroller /Domain:CONTOSO /sdc:DC1

The following example configures a preferred domain controller (DC2) for the target domain that you specify (TREYRESEARCH).

admt group setdomaincontroller /Domain:TREYRESEARCH /sdc:DC2

The following example clears the preferred domain controllers that you configured previously for the CONTOSO domain.

admt group cleardomaincontrollers /Domain:CONTOSO

The following example displays the preferred domain controllers that you configured.

admt group getdomaincontrollers