Migrates group accounts for Active Directory domain migrations.
The admt group command-line tool is available in the Active Directory Migration Tool (ADMT). To run admt group, at the command prompt, type admt group with the appropriate parameters, and then press ENTER.
For examples of how to use this command, see Examples.
Syntax
admt group [options] /n "<GroupName1>" "<GroupName2>" {/sd:"<SourceDomain>" /td:"<TargetDomain>" | /o:"<OptionFilename>"}
Parameters
- /n "<GroupName1>" "<GroupName2>"
- Specifies the name of the group in the source domain and the
target domain. You can specify the following values for this
parameter:
- GroupName1
Specifies the name of the group in the source domain.
- GroupName2
Specifies the name of the group in the target domain.
- GroupName1
- /{sd|sourcedomain}:"<SourceDomain>"
- Specifies the NetBIOS or Domain Name System (DNS) name of the source domain from which ADMT migrates objects.
- /{td|targetdomain}:"<TargetDomain>"
- Specifies the NetBIOS or DNS name of the target domain to which ADMT migrates objects.
- /{o|optionfile}:"<OptionFilename>"
- Specifies to use an options file. You can specify the following
value for this parameter:
- OptionFilename
Specifies the name of the options file to use. This file contains a list of operations and parameters to use during the migration. You can specify only one option file name with the admt group optionfile command. To specify more than one options file name, list the parameter again for each additional option file.
- OptionFilename
- /{if|intraforest}:{yes|no}
- Specifies whether the migration occurs within a single forest.
You can specify the following values for this parameter:
- yes
Specifies that the migration is within a single forest.
- no
Specifies that the migration is between forests. This is the default setting.
- yes
- /{sdc|sourcedomaincontroller}:"<SourceDomainControllerName>"
- Specifies the NetBIOS or DNS name of the domain controller in
the source domain to use for object migration.
Note Read-only domain controllers (RODCs) are not permitted to be used as the source domain controller.
- /{tdc|targetdomaincontroller}:"<TargetDomainControllerName>"
- Specifies the NetBIOS or DNS name of the domain controller in
the target domain to use for object migration.
Note Read-only domain controllers (RODCs) are not permitted to be used as the target domain controller.
- /{so|sourceou}:"<OUName>"
- Specifies the name of the organizational unit (OU) in the source domain. You can specify this parameter only for Active Directory source domains.
- /{to|targetou}:"<OUName>"
- Specifies the name of the OU in the target domain. This parameter is required for both interforest and intraforest migrations.
- /{po|passwordoption}: {<complex>|copy} [+notexisting]
- Specifies how ADMT sets the passwords of members of the group. This option is only in effect if the option to migrate group members (/mms) is also specified.
- /{ps|passwordserver}:"<ServerName>"
- Specifies the name of the source domain controller that hosts
the Password Export Server (PES) service. This option is only in
effect if the option to migrate group members (/mms) is also
specified.You can specify the following value for this parameter:
- ServerName
Specifies the name of a source domain controller that hosts the PES service. Enclose the server name in quotation marks.
- ServerName
- /{pf|passwordfile}: "<FileName>"
- Specifies the path and name of the password file that ADMT
creates. ADMT creates a password file only when you use the
complex value with the /passwordoption command. This
option is only in effect if the option to migrate group members
(/mms) is also specified.You can specify the following value
for this parameter:
- FileName
Specifies the path and name of the password output file. Enclose the entire path in quotation marks.
- FileName
- /{dot|disableoption}:{[disablesource+] enabletarget|disabletarget|<targetsameassource>}]
- Determines which, if any, accounts to disable after
migration.You can specify the following values for this parameter:
- disablesource+
Disables the accounts in the source domain after ADMT successfully migrates those accounts to the target domain.
- enabletarget
Enables the accounts in the target domain so that ADMT can use them immediately.
- disabletarget
Disables the target accounts after migration.
- targetsameassource
Matches the state of the target account to the state of the source account. This is the default setting.
- disablesource+
- /{sep|sourceexpiration}: {none|<Days>}
- Defines the number of days that the source account is valid
before it expires.You can specify the following values for this
parameter:
- none
Specifies that the source account does not expire. This is the default setting.
- Days
Specifies the number of days (1 through 1095) that the system waits after the migration before it disables the source account.
- none
- /{mss|migratesids}: {yes|no}
- Specifies whether the security identifier (SID) of the source
account migrates to the SID history of the target account.You can
specify the following values for this parameter:
- yes
Migrates the SID from the source account and adds the SID to the SID history of the target account.
- no
Does not migrate SIDs. This is the default setting.
- yes
- /{trp|translateroamingprofile}: {yes|no}
- Specifies whether to translate the roaming profile from the
source account to the target account. This parameter also
associates the target account with the roaming profile.You can
specify the following values for this parameter:
- yes
Translates the roaming profile when ADMT migrates the account. This value associates the target account with the roaming profile.
- no
Does not translate the roaming profile when ADMT migrates the account. This is the default setting.
- yes
- /{uur|updategrouprights}: {yes|no}
- Specifies whether to set the group rights of the target account
to match the group rights of the source account.You can specify the
following values for this parameter:
- yes
Changes the group rights of the target account to match the group rights of the source account.
- no
Does not change the group rights of the target account. This is the default setting.
- yes
- /{mms|migratemembers}: {yes|no}
- Specifies whether to migrate the members of the source domain
groups to the target domain.You can specify the following values
for this parameter:
- yes
Migrates group members when ADMT migrates the group.
- no
Does not migrate group members when ADMT migrates the group account. This is the default setting.
- yes
- /{umo|updatepreviouslymigratedobjects}: {yes|no}
- Specifies whether to migrate groups again during this migration
that ADMT migrated previously. ADMT performs this operation only
when you specify the yes value with the admt user
/migrategroups command during subsequent migration operations.
For more information, see admt user.You can
specify the following values for this parameter:
- yes
Migrates groups again during the current migration operation that ADMT migrated previously.
- no
Does not migrate groups again during the current migration operation. This is the default setting.
Note If a group that ADMT migrated previously has since been removed from the target domain, you must specify this value to migrate the group again.
- yes
- /{fgm|fixgroupmembership}: {yes|no}
- Specifies whether to add migrated users to target domain groups
if those users were members of groups that ADMT migrated from the
source domain.You can specify the following values for this
parameter:
- yes
Checks group membership in the source domain, and then adds the migrated account to those same groups in the target domain. This is the default setting.
- no
Does not add the migrated user account to groups in the target domain.
- yes
- /{co|conflictoptions}: {ignore|merge [+removeuserrights] [+removemembers]|[+movemergedaccounts]}
- Specifies an action for ADMT to take when ADMT finds that an
object name already exists in the target domain.You can specify the
following values for this parameter:
- ignore
Does not migrate the account that already exists in the target domain, and proceeds with the rest of the migration. This is the default setting.
- merge
Replaces the account that already exists in the target domain with the account from the source domain.
- +removeuserrights
Removes existing user rights from the target account. You use this value with the merge value.
- +removemembers
Removes all existing members from the target group before ADMT merges the source group with the target group. You use this value with the merge value.
- +movemergedaccounts
Causes ADMT to move the account from the original OU to the target OU that you specified for the current migration operation, if ADMT finds that a previously migrated account's OU has changed. You use this value with the merge value.
- ignore
- /{gx|grouppropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
- Specifies properties to exclude when groups are migrated.You
can specify the following value for this parameter:
- Property
Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.
- Property
- /{ix|inetorgpersonpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
- Specifies inetOrgPerson properties to exclude when a
group account is migrated.You can specify the following value for
this parameter:
- Property
Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.
- Property
- /{ux|userpropertiestoexclude}: {*|"Property"|"Property1 [,Property2]..."}
- Specifies user properties to exclude when groups are
migrated.You can specify the following value for this parameter:
- Property
Specifies the property to exclude. You can specify multiple properties. Separate each property with a comma, and enclose all properties within a single set of quotation marks. Specify the wildcard character (*) by itself to exclude all properties.
- Property
- /{n|includename}: "<Name>"[ "<Name2>"]...
- Specifies a group or list of groups to migrate.You can specify
the following value for this parameter:
- Name
Specifies the name of the group account or accounts to migrate. Enclose the name within quotation marks. Separate each name from the next name with a space.
- Name
- /{f|includefile}: <FileName>
- Specifies the name of a file that contains a list of groups to
migrate.You can specify the following value for this parameter:
- FileName
Specifies the name of the include file. This file can contain the Windows NT Security Accounts Manager (SAM) account name, relative distinguished name (also known as RDN), or canonical name (CN=) of the group account. You can specify only one file with this parameter.
- FileName
- /{d|includedomain}: [recurse [+{<flatten>|maintain}]]
- Specifies an entire source domain or OU of accounts.You can
specify the following values for this parameter:
- recurse
Specifies how to migrate listed domains or OUs. If you do not specify the +flatten value or the +maintain value with recurse, ADMT uses +flatten as the default value.
- +flatten
Migrates accounts in the parent and child containers into only one target container. The accounts in the child container migrate, but the child containers do not migrate.
- +maintain
Migrates child containers and the accounts that they contain.
- recurse
- /{en|excludename} "Name"[ "Name2"]...
- Specifies group accounts to exclude from the migration.You can
specify the following value for this parameter:
- Name
Specifies the name of the group account or accounts to exclude from migration. You can specify multiple group accounts to exclude. Place each group account name in quotation marks, and separate each name from the next one with a space. By default, ADMT migrates all accounts in a domain or OU that you specify. You can use a maximum of two wildcard characters (*) for each name in the file. You can use wildcard characters at the beginning or end of a string, or at both the beginning and end.
- Name
- /{ef|excludefile}: <FileName>
- Specifies the name of a file that contains the list of groups
to exclude from the current migration operation.You can specify the
following value for this parameter:
- FileName
Specifies the name of the exclude file, which can contain the Windows NT SAM account names or the relative distinguished names of the accounts to exclude. You can specify only one file with this parameter. You can use a maximum of two wildcard characters for each name in the exclude file. Although you cannot include wildcard characters in the name itself, you can include them at the beginning or end of a string, or at both the beginning and end of the string.
- FileName
Remarks
Configuring database administration roles
You can use database administration roles to assign a subset of permissions to users who perform specific migration tasks.
ADMT has the following database administration roles:
- Account migrators:
Perform tasks that are associated with account migrations, such as user and group migrations.
- Resource migrators:
Perform tasks that are associated with resource migrations, such as computer migrations and security translations. Account migrators also hold the role of resource migrators.
- Data readers:
Perform queries against the database. Account migrators and resource migrators also hold the role of data readers.
Users who hold the role of SQL Server system administrator hold all ADMT database administration roles. They have permissions to display database roles and the users who hold those roles, add groups or users to those roles, and remove groups or users from those roles. By default, ADMT assigns the role of system administrator to the local Administrators group, which can perform all ADMT database functions.
Configuring preferred domain controllers
ADMT provides the option for an administrator to select the source and target domain controller to use for a migration instead of having DC Locator select those controllers.
To use a preferred domain controller, you use the admt group command to configure it. You must configure source and target domain controllers independently. After you configure a preferred domain controller, ADMT determines its validity and availability and then uses that domain controller automatically every time that you run ADMT.
Examples
The following example lists all database roles and the members that are assigned to each role.
admt group getrolemembers
The following example adds a role member (JohnSmith from the CONTOSO domain) to the account migrators role.
admt group addrolemember /r:"Account Migrators"
/a:CONTOSO\JohnSmith
The following example removes a role member (JohnSmith from the CONTOSO domain) from the account migrators role.
admt group removerolemember /r:"Account
Migrators" /a:CONTOSO\JohnSmith
The following example configures a preferred domain controller (DC1) for the source domain that you specify (CONTOSO).
admt group setdomaincontroller /Domain:CONTOSO /sdc:DC1
The following example configures a preferred domain controller (DC2) for the target domain that you specify (TREYRESEARCH).
admt group setdomaincontroller /Domain:TREYRESEARCH /sdc:DC2
The following example clears the preferred domain controllers that you configured previously for the CONTOSO domain.
admt group cleardomaincontrollers
/Domain:CONTOSO
The following example displays the preferred domain controllers that you configured.
admt group getdomaincontrollers