• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 371
  • Last Modified:

AD user migration process

1) Can I ask, if you build a new active directory, how do you “migrate” accounts over? Is it a simple task?

2) If some of the existing accounts are set to have non-expiring passwords, and they were setup say 10 years ago, when the password policy was weak (i.e. 6 length, no complexity, expire every 6 months etc), if you migrate them over will they keep the same password properties in the new AD, if your new AD requires a new password policy, i.e. 12 length, meet complexity, expire every 3 months etc.

3) Our AD team seem to think migrating user objects from the old AD into the new AD will remove the issues with many accounts having weak and non-expiring passwords – what’s your view on this?
0
pma111
Asked:
pma111
3 Solutions
 
Joseph DalyCommented:
You would use the AMDT tool to migrate between domains as mentioned above. The process can be a bit tricky but microsoft has very good documentation for the tool. You will probably want to migrate the accounts using SID history as well as the password export server MS provides.

Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.

It sounds like moving to a new domain is way overkill just to deal with user accounts that have non expiring password. Why not just do a search on your current domain and make those users follow the password policy?
0
 
Joseph DalyCommented:
Non expiring passwords are extremely easy to find using the Quest tools.
http://www.quest.com/powershell/activeroles-server.aspx

The command would be get-qaduser -passwordneverexpires.

You could simply uncheck the password never expires option.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
pma111Author Commented:
It sounds like moving to a new domain is way overkill just to deal with user accounts that have non expiring password. Why not just do a search on your current domain and make those users follow the password policy?

No the weak passwords isnt the justifacation for new domain, just one issue that would be nice to resolve during the migration

Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.


So, if the keep the settings, i.e. non expiring passwords, they will never need to change their password, thus they will never be forced to meet the policy in the new domain?
0
 
Joseph DalyCommented:
Yes it will bring over the settings that the user currently has. However during the ADMT process there is also an option to force the user to change password on the next login to the new domain. This might be a way for you to force them to change it.
0
 
pma111Author Commented:
Thanks, could you dig out a reference link to that option for me so I can show it to the migration team, if you have one handy that is. And anything that backs up that accounts migerated keep their password settings would be a great help to.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now