Is there a tool to migrate server03 local users to server03 ad domain users?

Posted on 2009-02-18
Last Modified: 2013-12-24
We have two web servers using IIS6 and MSFTP . One server is a domain controller the other just resides within the domain. we want to premote the second server to DC status. but there are over 100 local user accounts on the server which control website and MSFTP access on a site by site basis.
The local users have been added due to an error in the configuration of our Helm our control panel solution. when adding a new domain on the non DC server it had been adding local users to that server and not AD within the domain!

 I need to migrate these local users into the AD on the DC. This then will enable me to run DCPROMO on the second server because i'm aware when running this, all Local users will be deleted!

You advice is appreciated!

Question by:eonic
    1 Comment
    LVL 13

    Accepted Solution

    You would have to create each of the new user objects (and don't forget any local groups) in AD.

    You could do this manually, or if you can create a CSV file that contains the proper format and all information, then you could use CSVDE to import that information into AD.

    However, there is something you are missing.
    Just having an account in AD that has the same user name as a local account does nothing for you because rights, permissions, and group memberships that were associated with the old accounts will not be copied to the new accounts. A domain account and a local account are two separate security principals. They have different SIDs and can not simply be copied and pasted. You would have to create new groups, and manually add the users to the new groups. And then you would have to go to each application, folder, share... anywhere the local account had access... and give the new account access.

    Also, just as a point of opinion... or rather a point of commonly accepted best practices. It's not a good idea to have any other applications besides AD and DNS running on a domain controller. If a DC fails, you still have other DCs... and even backing up and restoring DCs then becomes less important (because if a DC crashes, it can be rebuilt and replication can replace the AD info)... but if you have other applications installed on the DC, or in your case, other accounts and groups... then you are very likely to run into other problems.

    So in this case... if the idea behind promoting another DC is to have another DC in the environment... my suggestion would be to get another machine dedicated just for a DC.

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now