Recently, we had to migrate an application that uses windows authentication from an old server to a new one. Of course, we did not want the users to lose their passwords in the migration. Also, as there were several hundred users, we did not want to recreate the user accounts by hand.
Migration can be divided into two parts:
- Migrate the user accounts
- Migrate the passwords
A. Migrate user accounts
Migrating user accounts (without passwords) can be done using the AddUsers tool from the Windows Resource Kit (see http://support.microsoft.com/kb/199878). It can be downloaded from http://www.petri.co.il/download_free_reskit_tools.htm
On the source server,
- Download AddUsers
- From the command prompt, run AddUsers /d users.txt , to dump user account information to a file with name users.txt. Note that this file will not contain passwords.
- Open users.txt with a text editor. Users.txt has three sections: [Users], [Global] and [Local ]. The [Users] section has one line User Name,Full name, Password, Description, HomeDrive, Homepath, Profile for every user on the source server.
- Remove the user entries that do not have to be migrated (e.g. the system accounts). Similarly, remove all groups that do not have to be migrated from the [global] and [local] sections.
- Be weary of comma’s in Descriptions in users.txt, as they interfere with the comma delimitation. There is an option to use a different delimiter if needed.
- The target server is unlikely to allow users to be created without a password. For each user, add a temporary Password (e.g. temp123).
- Users are added to groups using the source machine’s name. Change this to the name of the target machine (e.g., globally replace the source machine’s name with the target machine’s name).
- Copy users.txt to the target server.
On the target server,
- Download AddUsers
- From the command prompt, run AddUsers /c users.txt /p:e
This recreates all users and groups in users.txt on the target server, and adds the users to the right groups. The /p:e option ensures that passwords do not expire.
B. Migrate passwords
Migrating passwords can be done using the copypwd tool. See http://www.systemtools.com/free.htm for documentation and download. Warning: do not use the steps below if the data on the server is extremely sensitive.
- Download copypwd on the source server.
- In this step, we create a file copypwd.txt that contains every user name on the source server, and a hash that represents the password for that user.
- If you are not accessing the source server using a remote desktop connection, run copypwd DUMP > copypwd.txt.
- If you are accessing the source server using a remote desktop connection, copypwd cannot be run remotely. Take the following steps.
- Go to Control Panel/Administrative Tools/Component Services, Services. Start the Task Scheduler service if is stopped. If the service is stopped and the option to start is greyed out, then right-click it, select properties, and set startup type to manual. Then start the Task Scheduler.
- Create a batch file run.bat in a directory path that executes copypwd DUMP > copypwd.txt
- From the command prompt, run: at hh:mm “c:\path\run.bat” (where hh:mm is one minute in the future)
- After one minute, this creates the copypwd.txt file that contains the passwords.
- Stop the task manager if it was started in step 2a.
- Copy copypwd.txt to the target server.
- Update the passwords using copypwd SET. As in step 2, copypwd can’t be run using a remote connection.
- Make sure the Task Manager service is running on the target server, see step 2a.
- Create a batch file run.bat in a directory path that executes copypwd SET > done.txt
- From the command prompt, run: at hh:mm “c:\path\run.bat”
- After one minute, this will update all the users and create the file done.txt. Check done.txt to see if the update was succesfull.
- Stop the Task Scheduler if it was started in step 4a.
- Delete the password info and the user account info on the source and target servers.
that’s it! and it only took only 25 simple steps…
