• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

Is there a tool to migrate server03 local users to server03 ad domain users?

We have two web servers using IIS6 and MSFTP . One server is a domain controller the other just resides within the domain. we want to premote the second server to DC status. but there are over 100 local user accounts on the server which control website and MSFTP access on a site by site basis.
The local users have been added due to an error in the configuration of our Helm our control panel solution. when adding a new domain on the non DC server it had been adding local users to that server and not AD within the domain!

 I need to migrate these local users into the AD on the DC. This then will enable me to run DCPROMO on the second server because i'm aware when running this, all Local users will be deleted!

You advice is appreciated!

1 Solution
You would have to create each of the new user objects (and don't forget any local groups) in AD.

You could do this manually, or if you can create a CSV file that contains the proper format and all information, then you could use CSVDE to import that information into AD.

However, there is something you are missing.
Just having an account in AD that has the same user name as a local account does nothing for you because rights, permissions, and group memberships that were associated with the old accounts will not be copied to the new accounts. A domain account and a local account are two separate security principals. They have different SIDs and can not simply be copied and pasted. You would have to create new groups, and manually add the users to the new groups. And then you would have to go to each application, folder, share... anywhere the local account had access... and give the new account access.

Also, just as a point of opinion... or rather a point of commonly accepted best practices. It's not a good idea to have any other applications besides AD and DNS running on a domain controller. If a DC fails, you still have other DCs... and even backing up and restoring DCs then becomes less important (because if a DC crashes, it can be rebuilt and replication can replace the AD info)... but if you have other applications installed on the DC, or in your case, other accounts and groups... then you are very likely to run into other problems.

So in this case... if the idea behind promoting another DC is to have another DC in the environment... my suggestion would be to get another machine dedicated just for a DC.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now