Active Directory/Documentation/Enable User/Password Migration

From WolfTech
Revision as of 22:46, 27 February 2006 by Pgmurphy (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Active Directory Migration Tool (ADMT) allows you to migrate Users and their passwords to another domain. The following procedure is required to enable it.

Target Domain

  1. Install the 128-bit high-encryption pack.
    • If the target domain is Windows 2000 or Windows Server 2003 family, the pack is included as standard and does not need to be installed.
  2. If the target domain is Windows Server 2003 family, change the Default Domain Controllers Policy.
    1. Open the Users and Computers snap-in.
    2. Open the Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access container.
    3. Enable Let Everyone permissions apply to anonymous users.
  3. Add the Everyone group to the built-in group Pre-Windows 2000 Compatibility Access.
    1. On one of the domain controllers in the target domain, enter the following at the command prompt: net localgroup "Pre-Windows 2000 Compatible Access" Everyone /Add
    2. Reboot the domain controller.
  4. Verify that the passwords of the source domain user accounts match the password policy of the target domain.
    • ADMT cannot verify password policies in the target domain. If the source user accounts have passwords that violate the password restrictions (such as minimum length) in the target, then the affected migrated accounts can log on, but they will be forced to change their password the next time they log on.
  5. Save the password file.
    1. At the command prompt, change to the drive on which ADMT is locally installed.
    2. Change directories to the path on which ADMT is locally installed.
    3. Enter a command that uses the following syntax:

      admt key [fqSourceDomainName] DriveLetter *

  6. Read permissions on the Pre-Windows 2000 Compatible Access group should be set to CN=Server,CN=System,DC={targetdom},DC={tld}.
    1. Open ADUC by keying "dsa.msc" in run box.
    2. Click View menu to choose Advanced Feature.
    3. Expand System node to see if there is a node called Server. If Server node exists, right click Server and choose Propertes, grant Read permission to Pre-Windows 2000 Compatible Access group; if Server node cannot be found, please open System properties and grant read permission to Pre-Windows 2000 Compatible Access group.
  7. Set the following group policy on the target DCs:

    Computer Configuration\Windows Settings\Local Policies\Security Options
    Network access: Named Pipes that can be accessed anonymously = lsarpc, samr

    Warning! Giving anonymous access to samr allows accounts to be enumerated.

  8. Set the following group policy on the target DCs:

    Computer Configuration\Windows Settings\Local Policies\Security Options
    Network access: Let Everyone permissions apply to anonymous users = Enabled

Source Domain

  1. Run the password installation file.
    1. On the Microsoft Windows Server 2003 family CD, in the \i386\Admt directory, double-click Pwdmig.exe.
    2. When prompted, insert the floppy disk created on the target domain. If prompted, enter a password and then click OK.
  2. Prepare the Password Export Server.
    1. Select a BDC in the source domain to act as the Password Export Server.
    2. Ensure the Password Export server meets the minimum software requirements, which are: Windows NT 4.0 with Service Pack 5, or Windows 2000 with the 128-bit high-encryption pack installed.
    3. In the registry of the Password Export server under HKLM/System/CurrentControlSet/Control/Lsa, change the value of following entry from 0 to 1:

      AllowPasswordExport:REG_DWORD

    4. Reboot the domain controller.