• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

AD user migration process

1) Can I ask, if you build a new active directory, how do you “migrate” accounts over? Is it a simple task?

2) If some of the existing accounts are set to have non-expiring passwords, and they were setup say 10 years ago, when the password policy was weak (i.e. 6 length, no complexity, expire every 6 months etc), if you migrate them over will they keep the same password properties in the new AD, if your new AD requires a new password policy, i.e. 12 length, meet complexity, expire every 3 months etc.

3) Our AD team seem to think migrating user objects from the old AD into the new AD will remove the issues with many accounts having weak and non-expiring passwords – what’s your view on this?
0
pma111
Asked:
pma111
3 Solutions
 
Joseph DalyCommented:
You would use the AMDT tool to migrate between domains as mentioned above. The process can be a bit tricky but microsoft has very good documentation for the tool. You will probably want to migrate the accounts using SID history as well as the password export server MS provides.

Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.

It sounds like moving to a new domain is way overkill just to deal with user accounts that have non expiring password. Why not just do a search on your current domain and make those users follow the password policy?
0
 
Joseph DalyCommented:
Non expiring passwords are extremely easy to find using the Quest tools.
http://www.quest.com/powershell/activeroles-server.aspx

The command would be get-qaduser -passwordneverexpires.

You could simply uncheck the password never expires option.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pma111Author Commented:
It sounds like moving to a new domain is way overkill just to deal with user accounts that have non expiring password. Why not just do a search on your current domain and make those users follow the password policy?

No the weak passwords isnt the justifacation for new domain, just one issue that would be nice to resolve during the migration

Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.


So, if the keep the settings, i.e. non expiring passwords, they will never need to change their password, thus they will never be forced to meet the policy in the new domain?
0
 
Joseph DalyCommented:
Yes it will bring over the settings that the user currently has. However during the ADMT process there is also an option to force the user to change password on the next login to the new domain. This might be a way for you to force them to change it.
0
 
pma111Author Commented:
Thanks, could you dig out a reference link to that option for me so I can show it to the migration team, if you have one handy that is. And anything that backs up that accounts migerated keep their password settings would be a great help to.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now