Transfer accounts from Windows to Windows
Top  Previous  Next


The below script copies user account properties and passwords from one Windows server to another, thus enabling users to log on to a new Windows server with their old user name and password.

·Properties transferred in the example are first name, initials, last name, email address, phone number, account name and password hash.  
·It is easy to transfer other properties by minor modifications to the script, the "ListOfProperties" parameter for the "Data.Get.AD" command contains source properties and each "AD.Account.SetProperty" command contains a property to be written.  
·Extract accounts from a single container, a container including subcontainers, or all accounts in a group, by modifying parameters for the "Data.Get.AD" command.  
·Write accounts to any destination container or recreate the structure from the source server.  

Requirements
Windows source server
·Windows server 2000 or 2003 with Active Directory (script can be modified for NT4; replace "Data.Get.AD" with "Data.Get.SAM")  
·Full administrative privileges, specify source domain administrator password in SrcAdminPass variable in [Settings].  

Windows destination server
·Windows server 2000 or 2003 with Active Directory (script can be modified for NT4; replace "AD.Account.Create" and "AD.Account.SetProperty" with "Account.Create")  
·Full administrative privileges, log on as domain administrator for target domain on local machine (where Admwin executable runs)  

Script
Tip

[Settings_Begin]
BatchSettings.Delimiter=,
BatchSettings.MarkerCol=18
BatchSettings.MarkersAutoRemove=Yes

// Source: Windows domain path
SET SrcADDomainPath=srv03/dc=com/dc=acme/dc=d41
SET SrcADContainer=cn=Users
SET SrcADContainerPath=%SrcADDomainPath%/%SrcADContainer%
// Source: NetBIOS Name of Windows Server to extract passwords hashes from
SET SrcWinNetBIOSName=\\srv03
SET SrcAdminUser=d41\Administrator
SET SrcAdminPass=password

// Destination: Windows domain path
SET DstADDomainPath=dc=com/dc=acme/dc=d31
SET DstADContainer=cn=Users
SET DstADContainerPath=%DstADDomainPath%/%DstADContainer%
// Destination: NetBIOS Name of Windows Server to copy password hashes to
SET DstWinNetBIOSName=\\main04

// Source & destination: Data section columns (Col function converts X to %colX%)
SET ColADpath=1
SET ColEmail=3
SET Email=Col(%ColEmail%)
SET ColFirstName=4
SET FirstName=Col(%ColFirstName%)
SET ColInitials=5
SET Initials=Col(%ColInitials%)
SET ColLastName=6
SET LastName=Col(%ColLastName%)
SET ColPhone=7
SET Phone=Col(%ColPhone%)
SET ColSamAccountName=8
SET SamAccountName=Col(%ColSamAccountName%)
SET CommonName=Col(%ColSamAccountName%)
SET UserPrincipalName=Col(%ColSamAccountName%)@mydomain.com
SET ColLMPasswordHash=9
SET ColNTPasswordHash=10
SET NTPasswordHash=Col(%ColNTPasswordHash%)

// Destination: AD.Account.Create sets temporary password below, almost instantly overwritten by Account.Edit.PasswordHashes / NTPasswordHash
SET Password=adko_-09-ic"Bb

// Characters for Data.Column.Check commands
SET HexCharset=0123456789ABCDEF
SET Charset=%HexCharset%GHIJKLMNOPQRSTUVXYZabcdefghjijklmnopqrstuvwxyz@.
[Settings_End]

[Init_Batch_Begin]
// Logon to remote untrusted domain   
LogonAs %SrcWinNetBIOSName%, %SrcAdminUser%, %SrcAdminPass%   
// Get data from AD   
Data.Get.AD Container,%SrcADContainerPath%,User,Yes, ADpath§%ColADpath%§mail§%ColEmail%§givenName§%ColFirstName%§Initials§%ColInitials%§sn§%ColLastName%§telephoneNumber§%ColPhone%§samAccountName§%ColSamAccountName%§   
// Get passwords from Security Account Manager   
Data.Get.SAM.PasswordHashes %SrcWinNetBIOSName%,%ColSamAccountName%,%ColLMPasswordHash%,%ColNTPasswordHash%   
// Maks sure that all accounts has e-mail address, first name, last name and password hash   
Data.Column.Check %ColEmail%, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check %ColFirstName%, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check %ColLastName%, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check %ColNTPasswordHash%, User_ChrLen, %HexCharset%, 32, 32   
// Check for dupcliate destination Windows account names   
Data.Column.DupeCheck %ColSamAccountName%,CN,%DstADContainerPath%,FindDuplicates   
Data.Show Transfer all these accounts?   
[Init_Batch_End]

[Batch_Begin]
Data.Loop   
 AD.Account.Create %DstADContainerPath%, %CommonName%, %SamAccountName%, %Password%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", UserPrincipalName, %UserPrincipalName%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", FirstName, %FirstName%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", Initials, %Initials%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", LastName, %LastName%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", AccountDisabled, No   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", TelephoneNumber, %Phone%   
 AD.Account.SetProperty "%DstADContainerPath%/cn=%CommonName%", EmailAddress, %Email%   
 Account.Edit.PasswordHashes %DstWinNetBIOSName%, %SamAccountName%, INACTIVE, %NTPasswordHash%   
Data.EndLoop   
[Batch_End]

[Data_Begin]
[Data_End]