I had a client that wanted to move all their information to a new domain but they did not care about SIDs and did not want to use ADMT. Here is how I did it - please note you normally want to do an ADMT Migration for this.
Export Organisational Units:
ldifde -f c:\domainOUs.ldf -s Server1 -d "dc=domain,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"
Export Users (these were the attributes I was interested in):
ldifde -f c:\domainusers.ldf -s Server1 -d "dc=domain,dc=local" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,c,co,company,countryCode,description,displayName,facsimileTelephoneNumber,homePhone,initials,l,mail,name,physicalDeliveryOfficeName,postalCode,sn,st,streetAddress,telephoneNumber,title"
I then opened these ldf files up in notepad and changed the domain with the find and replace tool.
Next I imported these ldf files in the new domain on one of the new domain controllers.
ldifde -i -f c:\domainOUs.ldf -s newserver -k -j c:\
ldifde -i -f c:\domainusers.ldf -s newserver -k -j c:\
LDIFDE imports the users without a password and the account being disabled. Next step was to enable all the accounts and provide them with a password. I wrote a script to do this against all users apart from a few we dont want passwords applied to:
Option Explicit
Dim oDomain, oObject
Set oDomain = GetObject("WinNT://newdomain.local")
For Each oObject in oDomain
'Only run if the AD object is a user and if it is not any of the following user accounts.
If oObject.Class = "User" and oObject.Name <> "Administrator" and oObject.Name <> "Guest" and oObject.Name <> "krbtgt" Then
'Set the password to P@ssw0rd
oObject.SetPassword "P@ssw0rd"
'Check if account is disabled, if so enable it.
If oObject.AccountDisabled = TRUE Then
oObject.AccountDisabled = FALSE
End If
'Once done write the change for each user object in Active Directory
oObject.SetInfo
End If
Next
I then simply used GPMC to export and import the group policy objects to the right locations. The reason this client did not want to use ADMT was they were not keeping their existing file server/data. This process generates new SID's for each user account and hence any access control lists you may have setup wheather its on NTFS, Certificates or other means will not carry over due to the user SID change. I hope you can find bits of information from this post helpful.
No comments:
Post a Comment