DOCUMENT:Q266083  10-AUG-2001  [winnt]
TITLE   :How to Migrate Objects from One Domain to Another Domain
PRODUCT :Microsoft Windows NT
PROD/VER:winnt:4.0
OPER/SYS:
KEYWORDS:

======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0 
-------------------------------------------------------------------------------

SUMMARY
=======

This article describes how you can copy domain objects from one domain to
another by using the utilities provided in the Windows NT 4.0 Resource Kit
Supplement, as follows:

 - Addusers.exe can be used to import and export user and group accounts from
   one domain to another.

 - Rmtshare.exe can be used to remotely create or delete shares.

 - Scopy.exe can be used to copy NTFS file and folder permissions from one share
   to another. Note that this utility does not copy share permissions.

 - Permcopy.exe can be used to copy share permissions from one share to another.

 - Subinacl.exe can be used to obtain security information on files, registry
   keys, and services, and to transfer this information from user to user, from
   group to group, and from domain to domain.

MORE INFORMATION
================

Migrating Users and Groups to Another Domain

To migrate users and groups to another domain, use the Addusers.exe utility:

1. Use the following command to dump existing user and group accounts to a
   file:

   addusers \\computer_name|domain_name/dfilename

   where computer_name|domain_name is the name of the primary domain controller
   (PDC) computer that contains the user and group information for the specified
   domain, and filename is the new file that will contain the user and group
   account information.

   When user and group information is dumped to a file, it is saved in a
   comma-delimited format.

   Dumping user account information does not save user account passwords or any
   security information to the file. When you use this dump file to migrate
   users to another domain, all the newly created user accounts have a blank
   password and all the newly created users are required to change their
   password at logon by default.

2. Use the following command to add the users and groups to the new domain:

   addusers \\computer_name|domain_name/c filename

   where computer_name|domain_name is the name of the PDC computer and the domain
   where the user accounts will be created, and filename is the name of the
   comma-delimited dump file that contains the user and group information.

Creating Shares Remotely

To create or delete shares on a remote server, use the RMTShare.exe utility with
the following syntax:

rmtshare \\server[\sharename[=path [/printer]]] [/grant [user[:perms ]]] [/remove
user][/users:number] [/unlimited] [/remark:"text"] /delete

where:

 - \\server\sharename are the server and share to create, inspect, modify, or
   delete.

 - /grant user:perms adds the name of a valid user or group on the server with
   permissions or changes the user's permissions in an access control list.
   Valid permissions are r=read, c=change (write), f=full, n=none. You can type
   "READ", but only the first character is used.

 - /remove user removes the specific entry for a user; that user then inherits
   permissions (in contrast to "/grant user:none", which denies any access at
   all to user).

 - /users:number is the number of users with privileges to the server and share.

 - /delete deletes the share specified by \\server\sharename.

Copying File and Share Permissions

Two utilities are required to copy NTFS and share permissions. The Scopy.exe
utility is used to copy NTFS file and folder permissions, and the Permcopy.exe
utility is used to copy share permissions:

1. To copy files and folders and retain their NTFS file and folder permissions,
   use the Scopy.exe utility with the following syntax:

   scopy source destination/o /a /s

   where source is the path to the source directory and destination is the path
   to the destination directory. The /o option copies owner security
   information, /a copies auditing information, and /s includes all files in
   subdirectories.

   The Scopy.exe utility cannot copy files to or from file systems that do not
   use security, such as FAT and HPFS. Scopy.exe copies only NTFS security
   information, it cannot be used to copy share permissions.

2. To copy share permissions from one share to another, use the Permcopy.exe
   utility with the following syntax:

   permcopy \\source_server\share_name \\destination_server\share_name

   where source_server\share_name and destination_server\share_name are the UNC
   paths to the source and destination shares.

   CAUTION: You cannot use the Permcopy.exe utility to copy permissions of an
   administrative share (sharename$, such as C$ or IPC$). Copying permissions to
   an administrative share located on an x86 computer will cause Services.exe to
   crash.

Migrating Registry Keys, Services, and Other Objects

To migrate other domain objects, use the Subinacl.exe utility. Subinacl.exe can
be used to obtain security information on files, directories, registry keys, and
services, and to transfer this information from user to user, from group to
group, and from domain to domain. Subinacl.exe uses the following syntax:

subinacl /object_type object_name /action=parameter /action=parameter

Object types that can be manipulated by the Subinacl.exe utility include:

 - Registry keys and subkeys

 - Files

 - Directories

 - Shares

 - Services

 - Kernel objects

Actions that can be performed on the above objects include:

 - Display

 - Change ownership

 - Replace all access control entries in the object.

 - Change domain name of the object

 - Migrate the object from one domain to another.

Example: To replace the security identifiers in all access control entries that
contain DOMAIN1\SALES with those of DOMAIN2\SALES, use the Subinacl.exe utility
as follows:

subinacl /replace=DOMAIN1\SALES=DOMAIN2\SALES

For more information about the syntax and use of these tools, refer to the
RKTools.hlp file in Windows NT Server 4.0 Resource Kit Supplement 3.

Additional query words:

======================================================================
Keywords          :  
Technology        : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400
Version           : winnt:4.0
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 2001.