Thursday, January 21, 2021

CopyRight2 vs. ADMT

CopyRight2 is a product for the migration of Active Directory accounts and provides features that go beyond what Microsoft's Active Directory Migration Toolkit, shortly ADMT, has to offer. Opposed to Microsoft's ADMT, CopyRight2 does not require a trust between the two domains, neither any agents that have to be installed, nor does it require a SQL server instance. As it supports sidHistory-less migrations, there is no security risk attached to it.

Besides of functionality for account migrations between domains, member servers and workgroup enabled systems, it also integrates features to migrate server resources like file systems including file shares, share- and NTFS level permissions.

CopyRight2 supports Windows Active Directory, Azure AD Connect, AWS Directory Service and Univention's UCS Domain Controller Appliance as source or target.

Migrate Users, Groups, Distribution Lists, Contacts and OUs

With CopyRight2 you can migrate Active Directory users (including passwords), groups (including members), distribution lists (including members), contacts, organizational units and containers. The product supports all existing types of Active Directory groups, no matter if it is local, global, universal, security or distribution list groups.

In opposition to ADMT, CopyRight2 can also migrate local accounts from domain member computers and workgroup configured systems to domains and vice versa.

Easy Deployment

CopyRight2 can be installed on any computer, preferably on a domain controller of the source or the destination domain. Once the software is installed, it can be used right away to define and interactively run migration jobs or schedule jobs for background execution at a specified time. This is usually not the case with Microsoft's ADMT.

24/7 Support and 2 Years of Free Updates/Upgrades

The product price includes 24/7 support and 2 years of free maintenance updates & upgrades as available. In case there is a problem using the software, you can get in touch with Sys-Manage's support at any time.

With CopyRight2 there is no additional costs for support contracts as it would be the case with ADMT. Our experienced support engineers have helped thousands of customers to complete their migrations successfully. Please contact us either by email or by telephone.

Select Source Accounts in Multiple Ways

CopyRight2 allows you to migrate...

...all accounts from the source Active Directory.
...accounts selected from the Active Directory tree.
...accounts provided in a specified input text file.
...accounts returned from a LDAP query, by specifying a query root and a query filter condition.

Define Active Directory Attributes to Migrate

As opposed to Microsoft's ADMT, CopyRight2's attribute in- and exclusion list allows you to define graphically which attributes you want to migrate by object class type. You can also provide an empty attribute list, in which case all class specific attributes defined in the Active Directory schema will be copied.

Migrate OU and Container Hierarchy

Using CopyRight2 you can migrate accounts into the default "Users" container or into a specified container, optionally while retaining the original OU and container hierarchy structure.

Transfer Active Directory Object Permissions

CopyRight2 can migrate the permissions set on any Active Directory Objects, such as users, groups, contacts, distribution lists, organizational units and containers. It migrates the permissions (DACL), auditing information (SACL) and the owner.

Schedule Migrations For Background Execution

You can schedule any migration jobs to run automatically in the background at specified intervals. Receive email notifications for the job in case of success and/or error. You can use a scheduled job to setup a continuous replication between domains.

Use Scripts to Customize and Transform Migrated Objects

You can define scripts, based on the object class, executed for each migrated object, allowing you to very easily "transform" migrated objects in case you need to make adjustments to any attribute values. For example you could use the following line of VBScript code to add the prefix "PREFIX_" to migrated object's "samAccountName" attribute:

Destination("samAccountName")="PREFIX_" & Source("samAccountName")

Migrate Users and Groups Using Windows® SID-HISTORY Feature

CopyRight2 supports Windows® sidHistory Active Directory attribute to separate the account migration from the resource migration and computer roll-out. Using this feature allows migrated user and group accounts to access resources still located in the source environment having permissions for the original source accounts only. Beyond that, you can use CopyRight2 to reassign NTFS and file share permissions to use the migrated new accounts and to cleanup the sidHistory attribute once it is no longer needed.

Interforest migrations
If the source and destination domain are located in different domain forests, you create a clone of each source user or group in the destination domain, having the sidHistory attribute set to the corresponding SID of the original account.

Intraforest migrations
If the source and destination domain reside in the same forest, for example a parent <-> child domain relationship, the user and group accounts will be moved between the source and destination domain, causing accounts to get a new SID, but also having the sidHistory attribute set to the corresponding SID of the original accounts. You can find more information about using the sidHistory attribute in the CopyRight2 Documentation.

Account and Data Migration Without SID-HISTORY

It is, however, not a requirement to use the sidHistory attribute with CopyRight2. In contrast to Microsoft's ADMT, you can migrate user and group accounts directly and reassign NTFS and file share permissions of any data on-the-fly while being copied or by processing permissions without moving data.

There are specific scenarios where the use of sidHistory is not recommended. Disabling SID filtering on the source domain, a requirement for resource access using sidHistory, implicitly grants admin accounts of the destination domain administrative access to the source domain, including any resources accessible to it. This may violate given security restrictions.

The official ADMT documentation describes the impact of sidHistory using the following wording: "With SID Filtering disabled, a rogue domain administrator could clone a SID from the other domain and add it to their SID History, granting them unauthorized rights.".

This could be an issue in case of company break ups, de-mergers or other Active Directory domain reorganization scenarios.

Please download a 30-day trial version of CopyRight2.

In case of any questions or suggestions contact us at support@sys-manage.com.

Links

Video Presentations & Tutorials

Active Directory Migrations

TOP 10 Reasons for CopyRight

CopyRight2 Compared

Users Manual

FAQ

What types of AD objects does it migrate?

CopyRight2 can migrate users, contacts, groups (global, local, universal), distribution lists, members, OUs and optionally object permissions (ACL). You can define which attributes you want to migrate per object type. For extensibility you can define small scripts to transform objects during the migration.

Does it require a trust?

No, it does not require a trust between domains. It works though if a trust is in place, but it is not a requirement. You can also migrate objects from a member or workgroup mode system to a domain with it.

Does it support sidHistory?

Yes, it does. If using sidHistory there is a bunch of requirements that need to be fullfilled, for example a trust. Please check the documentation for those. However, you can also migrate without sidHistory and optionally migrate your data using a data migration job, replacing the original accounts with the accounts of the target domain.

Logo Certifications

Downloads

Download CopyRight2 File Server Migration Software

Buy Now

Home - Products - Sales - Support - Download - Customer - Reseller - Contact

Like this? Share it on