Cheat Sheet for Active Directory Migration Tool Rights

In the manual “ADMT Guide: Migrating and Restructuring Active Directory Domains,” section “Enabling Migration of Passwords”, the manual is a tad vague on the following instruction:

Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

While technically true this instruction lacks the important caveat as to exactly which account requires membership in the Administrators group and in which domain. Below is a table I created for my own reference which has resulted in error free object migrations each time.

Target Domain Source Domain
PC running ADMT must be joined to target domain TWO-Way trust with target domain
Domain Account running ADMT needs rights to write to OU that source objects will be copied to Run password migration service with account from domain that has full control over user objects
Run ADMT under account logged into target domain and is member of source domain “Administrators” group Add account for Target Domain to group “Administrators”

One tell-tell sign when the account in the target domain is not in the Administrators group in the source domain is that you get this error in the log file located at c:\windows\admt\logs\MigrationXXXX.txt

[Object Migration Section]

2012-04-12 17:12:41 Starting Account Replicator.

2012-04-12 17:12:48 ERR3:7585 
The account replicator is unable to continue.   Access is denied.

2012-04-12 17:12:48 Operation completed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s