We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Is there a tool to migrate server03 local users to server03 ad domain users?

Medium Priority
Last Modified: 2013-12-24
We have two web servers using IIS6 and MSFTP . One server is a domain controller the other just resides within the domain. we want to premote the second server to DC status. but there are over 100 local user accounts on the server which control website and MSFTP access on a site by site basis.
The local users have been added due to an error in the configuration of our Helm our control panel solution. when adding a new domain on the non DC server it had been adding local users to that server and not AD within the domain!

 I need to migrate these local users into the AD on the DC. This then will enable me to run DCPROMO on the second server because i'm aware when running this, all Local users will be deleted!

You advice is appreciated!

Watch Question

You would have to create each of the new user objects (and don't forget any local groups) in AD.

You could do this manually, or if you can create a CSV file that contains the proper format and all information, then you could use CSVDE to import that information into AD.

However, there is something you are missing.
Just having an account in AD that has the same user name as a local account does nothing for you because rights, permissions, and group memberships that were associated with the old accounts will not be copied to the new accounts. A domain account and a local account are two separate security principals. They have different SIDs and can not simply be copied and pasted. You would have to create new groups, and manually add the users to the new groups. And then you would have to go to each application, folder, share... anywhere the local account had access... and give the new account access.

Also, just as a point of opinion... or rather a point of commonly accepted best practices. It's not a good idea to have any other applications besides AD and DNS running on a domain controller. If a DC fails, you still have other DCs... and even backing up and restoring DCs then becomes less important (because if a DC crashes, it can be rebuilt and replication can replace the AD info)... but if you have other applications installed on the DC, or in your case, other accounts and groups... then you are very likely to run into other problems.

So in this case... if the idea behind promoting another DC is to have another DC in the environment... my suggestion would be to get another machine dedicated just for a DC.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.