CopyRight2 vs. ADMT

With CopyRight2 you can migrate Active Directory users (including passwords), groups (including members), distribution lists (including members), contacts, organizational units and containers. The product supports all existing types of Active Directory groups, no matter if it is local, global, universal, security or distribution list groups.

In opposition to ADMT, CopyRight2 can also migrate local accounts from domain member computers and workgroup configured systems to domains and vice versa.

CopyRight2 can be installed on any computer, preferably on a domain controller of the source or the destination domain. Once the software is installed, it can be used right away to define and interactively run migration jobs or schedule jobs for background execution at a specified time. This is usually not the case with Microsoft's ADMT.

The product price includes 24/7 support and 2 years of free maintenance updates & upgrades as available. In case there is a problem using the software, you can get in touch with Sys-Manage's support at any time.

With CopyRight2 there is no additional costs for support contracts as it would be the case with ADMT. Our experienced support engineers have helped thousands of customers to complete their migrations successfully. Please contact us either by email or by telephone.

CopyRight2 allows you to migrate...

• ...all accounts from the source Active Directory.
  
• ...accounts selected from the Active Directory tree.
  
• ...accounts provided in a specified input text file.
  
• ...accounts returned from a LDAP query, by specifying a query root and a query filter condition.

As opposed to Microsoft's ADMT, CopyRight2's attribute in- and exclusion list allows you to define graphically which attributes you want to migrate by object class type. You can also provide an empty attribute list, in which case all class specific attributes defined in the Active Directory schema will be copied.

Using CopyRight2 you can migrate accounts into the default "Users" container or into a specified container, optionally while retaining the original OU and container hierarchy structure.

CopyRight2 can migrate the permissions set on any Active Directory Objects, such as users, groups, contacts, distribution lists, organizational units and containers. It migrates the permissions (DACL), auditing information (SACL) and the owner.

You can schedule any migration jobs to run automatically in the background at specified intervals. Receive email notifications for the job in case of success and/or error. You can use a scheduled job to setup a continuous replication between domains.

You can define scripts, based on the object class, executed for each migrated object, allowing you to very easily "transform" migrated objects in case you need to make adjustments to any attribute values. For example you could use the following line of VBScript code to add the prefix "PREFIX_" to migrated object's "samAccountName" attribute:

Destination("samAccountName")="PREFIX_" & Source("samAccountName")

CopyRight2 supports Windows® sidHistory Active Directory attribute to separate the account migration from the resource migration and computer roll-out. Using this feature allows migrated user and group accounts to access resources still located in the source environment having permissions for the original source accounts only. Beyond that, you can use CopyRight2 to reassign NTFS and file share permissions to use the migrated new accounts and to cleanup the sidHistory attribute once it is no longer needed.

Interforest migrations
If the source and destination domain are located in different domain forests, you create a clone of each source user or group in the destination domain, having the sidHistory attribute set to the corresponding SID of the original account.

Intraforest migrations
If the source and destination domain reside in the same forest, for example a parent <-> child domain relationship, the user and group accounts will be moved between the source and destination domain, causing accounts to get a new SID, but also having the sidHistory attribute set to the corresponding SID of the original accounts. You can find more information about using the sidHistory attribute in the CopyRight2 Documentation.

It is, however, not a requirement to use the sidHistory attribute with CopyRight2. In contrast to Microsoft's ADMT, you can migrate user and group accounts directly and reassign NTFS and file share permissions of any data on-the-fly while being copied or by processing permissions without moving data.

There are specific scenarios where the use of sidHistory is not recommended. Disabling SID filtering on the source domain, a requirement for resource access using sidHistory, implicitly grants admin accounts of the destination domain administrative access to the source domain, including any resources accessible to it. This may violate given security restrictions.

The official ADMT documentation describes the impact of sidHistory using the following wording: "With SID Filtering disabled, a rogue domain administrator could clone a SID from the other domain and add it to their SID History, granting them unauthorized rights.".

This could be an issue in case of company break ups, de-mergers or other Active Directory domain reorganization scenarios.