To download PES see this blog post.
If in addition to migration objects (users, groups, computers, etc.) you also need to migrate passwords, then you also need to install the Password Export Service (PES) on a(ny) writable DC in the source AD domain. PES cannot be installed on a read-only domain controller (RODC). The default behavior of ADMT, when migrating passwords, is to configure every target user account with "change password at next logon", unless "password never expires" (most likely service accounts) or "smartcard is required for interactive logon" on the source user account. After the password migration, it is also possible to revert the setting of "change password at next logon" by using PowerShell, ADMOD or any other LDAP modification tool.
Assuming the OU "OU=Migrated-Users,DC=ADCORP,DC=LAB" contains all migrated user accounts…
- PowerShell –> Get-ADUser -SearchBase "OU=Migrated-Users,DC=ADCORP,DC=LAB" -Filter * | %{Set-ADUser $_.SamAccountName -ChangePasswordAtLogon $false}
- ADFIND/ADMOD –> ADFIND -b "OU=Migrated-Users,DC=ADCORP,DC=LAB" -f "(&(objectCategory=person)(objectClass=user))" -adcsv | ADMOD pwdLastSet::-1
–
PES has a very tight relation with ADMT. Because of that you must first create a so called encryption key on the server where ADMT is installed before even starting the installation of PES!
–
To create the encryption key on the server with ADMT:
- Open a command prompt window and navigate to the folder "C:\Windows\ADMT"
- ADMT key /option:create /sourcedomain:ADCORP.LAB /keyfile:C:\Windows\ADMT\ADMTPESEncryptionKeyFile.pes /keypassword:*
Figure 1: Creating The Encryption File For PES On The Server With ADMT
–
Securely transfer the encryption file to the RWDC that will host the PES service. You can now start the installation of PES.
Figure 1: Selecting The Encryption File For PES
–
Figure 2: Specifying The Password Securing The Encryption File
–
The "Password Export Server (PES)" can be configured to run with a service account. This enhancement removes the dependency on the "pre-Windows 2000 compatible access" group that PREVIOUS should contain the well-known security principals "Everyone" and "Anonymous Logon" (in W2K only "Everyone" as that by default already contained "Anonymous Logon"). THEREFORE, preferably use a service account instead of the Local System account.
Figure 3: Specifying The Service Account That Will Be Used By The Password Export Service
–
The PES service account will be granted the "logon as a service" user right. After the installing you must reboot the RWDC.
–
For additional info see the ADMT Migration Guide.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————