Solved

Moving Domains

Posted on 2004-08-19
17
191 Views
Last Modified: 2011-09-20
My company is in the testing phases of moving to a new 2003 AD domain, from a NT4 domain.  I need to move the user data from the old local profile to the new local profile.  I am planning on using MOVEUSER.EXE to handle this portion of it.  However, i am having trouble adding the correct domain user to the local group on each computer.

The question i have is.... Is there a script that would pull local group information from the local machine, and then add the appropriate new domain user to a certain local group on the local machine.  An example would be:  In the local admin group there is a domain user account called DOMABC\JohnS (DOMABC = old domain).  I need a script that will read this informaiton and add the new domain account of NEWDOMABC\JohnS (NEWDOMABC = new domain) to the local admin group.  The only problem i need the script to work on 1,000 machines, were the domain username will be different on each machine.
0
Comment
Question by:SCP028
  • 7
  • 6
  • 4
17 Comments
 
LVL 5

Expert Comment

by:jmacmicking
Comment Utility
Do the user names themselve's match up exactly?  In the instance you've provided the name in both cases JohnS--can we assume this is always the case?
0
 

Author Comment

by:SCP028
Comment Utility
Yes, the usernames will be the exact same from the old domain to the new one.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Try this in the login script, I am not sure if it can work without the right credentials, but it is worth a try.

Net localgroup administrators domainname\%username% /add

replace domainname with your domain.

If this works it will take the currently logged on user and add thier domain account to the local administrators group.

J
0
 

Author Comment

by:SCP028
Comment Utility
This will not work because of the lack of credentials.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
It is suppose to work, because the login script does not run under their credentials, did you try it.

J
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Sorry, is this a login script that you are running from Active Directory, through a GPO. Or are you pointing the account to a mapped drive and running a batch file?

J
0
 

Author Comment

by:SCP028
Comment Utility
I am going to have it run as a log in script through GPO.
0
 
LVL 5

Accepted Solution

by:
jmacmicking earned 500 total points
Comment Utility
If jdeclue's method doesn't work you can try this instead.  It's a two part process--since the PC doesn't store the actual account name (just the SID) you'll need to get a list of the accounts before removing the PC from the domain.  Then, once the computer has been joined run the second script to add the names back in.  You'll need to be logged as an admin in both cases.  Note that these scripts could be modified to run remotely; the PC would need to be on and the account used would have to be an admin on the box (a member of Domain Admins for instance) but it's possible.  You could even setup the script to do multiple PCs, although I wouldn't really recommend it though due to difficulty in tracking machines that weren't successfull (they weren't on, something timed out, they haven't been migrated yet, etc.).

First script; pulls the names of the accounts in the administrators group and lists them in a text file:
      Option Explicit
      
      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, OutputFile
      
      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set OutputFile = fso.CreateTextFile("adminlist.txt", True)
      
      
      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")
      
      For Each UserAccount In AdminList.Members
            If Not UserAccount.Name = "Administrator" Then OutputFile.WriteLine UserAccount.Name
      Next
      OutputFile.Close

Second script; pulls the names from the text file and adds them to the administrators group:
      Option Explicit

      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, InputFile

      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set InputFile = fso.OpenTextFile("adminlist.txt", 1)


      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")

      While Not InputFile.AtEndOfStream
            UserAccount = InputFile.ReadLine
            AdminList.Add "WinNT://" & UserAccount
      Wend

      InputFile.Close
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Ok, back that up. I wasn't thinking. Startup/Shutdown (Computer Configuration) scripts runs as Administrator, Logon/Logoff runs as USER. So my idea probably will not work. ;)

J
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
These people are already logging in as local admin, but on the old domain, right? Is there a trust setup already to the new domain, with thier other account there?
0
 

Author Comment

by:SCP028
Comment Utility
Yes, there will be a trust setup with the old domain.  
0
 

Author Comment

by:SCP028
Comment Utility
Jmacmicking,

Regarding the script you posted.  Thanks.  There are some problems though:
1.  The 1st script works great.  However, when you go to run it again, it bombs out if any one account already exists on the machine. i.e domain admins.

2.  I need the second part of the script to put the new domain name in the first part of the username.  
0
 
LVL 5

Expert Comment

by:jmacmicking
Comment Utility
1.
If you have a list of accounts that you don't want to add back to the PC you can:
  Modify the first script to prevent it adding any accounts that would be undesirable (as I already did with the local Administrators account)
  Modify the second script so it doesn't add those accounts.

If you need help with either method just provide a list of the accounts you don't want to add and I'll add it to the script.  Or, I can use generic names to get you started and let you handle the rest.  

If you just want to avoid duplicates I can add in a section that searches the current list of accounts and skips any that already exist.  

Lemme know which works best for you.

2.
Can you give an example of the exact format you want the new name added in?  
The PC should automatically use the current login domain when you add the names back in so, usually, logging in with a domain account that has administrative rights is all that's necessary.  If you aren't using an account on the new domain it'll be a bit more of a bear--in fact, unless there's a trust set up, I can't think of any good way to do it.
0
 

Author Comment

by:SCP028
Comment Utility
1.  Avoiding duplicates would be the way to go.  

2.  I would like the new name added as "newdomain\username".  With "newdomain" being the name of the new domain, and "username" being the username of whatever user was previously added to the local admin group.  I am going to test the script right now in our lab to see if it will append the username saved to adminlist.txt to include the new domain.
0
 
LVL 5

Expert Comment

by:jmacmicking
Comment Utility
"Quick and dirty" avoid duplicates; put this line right before the Add statement
  ON ERROR RESUME NEXT
After the Add statement put
  ON ERROR GOTO 0

This allows the occasional error when adding an account but still halts the script if other errors crop up.

A better method to avoid duplicates would be to use a dictionary object to track all existing accounts:
      Option Explicit

      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, InputFile, CurAdminsList, AdminAccount

      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set CurAdminsList = CreateObject("Scripting.Dictionary")
      Set InputFile = fso.OpenTextFile("adminlist.txt", 1)


      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")

      For Each AdminAccount In AdminList.Members
            CurAdminsList.Add AdminAccount.Name, AdminAccount.Name
      Next

      While Not InputFile.AtEndOfStream
            UserAccount = InputFile.ReadLine
            'msgbox WshNetwork.UserDomain & "\" & UserAccount
            If Not CurAdminsList.Exists(UserAccount) Then
                  AdminList.Add "WinNT://" & UserAccount
            End If
      Wend

      InputFile.Close
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
If there will be a trust setup, then the login script will work just fine, the local user is a local administrator and they can add accounts from the new domain to the local administrator group. ;) Since %username% does not include the domain, by setting the new domainname in the command, it will work just fine.

J
 
0
 

Author Comment

by:SCP028
Comment Utility
I am in the process of testing both of these suggestions in the lab.  Unfortunetly some of my lab equipment was pulled yesterday, and put into production (hardware failures...).
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now