[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 351
  • Last Modified:

Move user permissions from old domain to new.

Hello,

Were planning on migrating our users from our old domain to our new domain.  E-mail has already been migrated, using new accounts instead of transferring the SID history.  I'm looking for a way to create groups on the new domain and assign the groups to the users existing new domain accounts.  Can you recommend any tools or scripts which can align old accounts with the new ones and add proper permissions to the new accounts?

Both domains trust each other and we are using Win2k3 domain controllers on both domains.
0
rj4510
Asked:
rj4510
  • 2
  • 2
1 Solution
 
LauraEHunterMVPCommented:
If I'm understanding you correctly, you have group objects configured in DomainA such that DomainA\GroupA contains DomainA\User1, DomainA\User2, DomainA\User3 as members.  You are now trying to create group objects in DomainB such that DomainB\GroupA contains DomainB\User1, DomainB\User2, DomainB\User3 as members.  (And all of the DomainB accounts already exist and were created manually; they were not migrated from DomainA.) Is this correct?

the Active Directory Migration Tool has an option to merge accounts in the source domain with accounts in the target domain when it finds accounts that have the same name, which would alleviate the "Accounts already exist in the new domain" problem.  Would this be sufficient for your needs?  (Can't beat the price, it's free.)  http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
AnthonyP9618Commented:
Not to mention the ADMT will also change those user and object IDs to match the new domain Identifiers.  Makes things a lot easier.
0
 
rj4510Author Commented:
What if the user names do not match on domain B.  Can the old user names be mapped by ADMT?
Thanks
0
 
LauraEHunterMVPCommented:
There's an option for a mapping file when you use the command-line component, but you'll need to specify each "oldname newname" entry manually.  Not the most pleasant of processes, but it'll still help move your groups over reasonably.

The ADMTv3 guide is available here: http://www.microsoft.com/downloads/details.aspx?familyid=D99EF770-3BBB-4B9E-A8BC-01E9F7EF7342&displaylang=en

Search the word doc for "SourceName,Targetname" for the section on mapping.  (Though I obviously recommend that you read the whole thing before attempting a production migration with it.)
0
 
rj4510Author Commented:
Thanks for your help.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now