Sys-Manage Logo
SSL | Register | Login Sunday, January 26, 2020 Flag en-US 

CopyRight2 vs. ADMT


CopyRight2 is a product for the migration of Active Directory accounts and provides features that go beyond what Microsoft's Active Directory Migration Toolkit, shortly ADMT, has to offer. Opposed to Microsoft's ADMT, CopyRight2 does not require a trust between the two domains, neither any agents that have to be installed, nor does it require a SQL server instance. As it supports sidHistory-less migrations, there is no security risk attached to it.

Besides of functionality for account migrations between domains, member servers and workgroup enabled systems, it also integrates features to migrate server resources like file systems including file shares, share- and NTFS level permissions.

With CopyRight2 you can migrate Active Directory users (including passwords), groups (including members), distribution lists (including members), contacts, organizational units and containers. The product supports all existing types of Active Directory groups, no matter if it is local, global, universal, security or distribution list groups.

In opposition to ADMT, CopyRight2 can also migrate local accounts from domain member computers and workgroup configured systems to domains and vice versa.

CopyRight2 can be installed on any computer, preferably on a domain controller of the source or the destination domain. Once the software is installed, it can be used right away to define and interactively run migration jobs or schedule jobs for background execution at a specified time. This is usually not the case with Microsoft's ADMT.

The product price includes 24/7 support and 2 years of free maintenance updates & upgrades as available. In case there is a problem using the software, you can get in touch with Sys-Manage's support at any time.

With CopyRight2 there is no additional costs for support contracts as it would be the case with ADMT. Our experienced support engineers have helped thousands of customers to complete their migrations successfully. Please contact us either by email or by telephone.

CopyRight2 allows you to migrate...

  • ...all accounts from the source Active Directory.
  • ...accounts selected from the Active Directory tree.
  • ...accounts provided in a specified input text file.
  • ...accounts returned from a LDAP query, by specifying a query root and a query filter condition.

As opposed to Microsoft's ADMT, CopyRight2's attribute in- and exclusion list allows you to define graphically which attributes you want to migrate by object class type. You can also provide an empty attribute list, in which case all class specific attributes defined in the Active Directory schema will be copied.

CopyRight2 Active Directory Attribute Migration Settings

Using CopyRight2 you can migrate accounts into the default "Users" container or into a specified container, optionally while retaining the original OU and container hierarchy structure.

CopyRight2 Active Directory Attribute Migration Settings

CopyRight2 can migrate the permissions set on any Active Directory Objects, such as users, groups, contacts, distribution lists, organizational units and containers. It migrates the permissions (DACL), auditing information (SACL) and the owner.

CopyRight2 Active Directory Object Security Migration Settings

You can schedule any migration jobs to run automatically in the background at specified intervals. Receive email notifications for the job in case of success and/or error. You can use a scheduled job to setup a continuous replication between domains.

CopyRight2 Active Directory Object Security Migration Settings

You can define scripts, based on the object class, executed for each migrated object, allowing you to very easily "transform" migrated objects in case you need to make adjustments to any attribute values. For example you could use the following line of VBScript code to add the prefix "PREFIX_" to migrated object's "samAccountName" attribute:

Destination("samAccountName")="PREFIX_" & Source("samAccountName")

CopyRight2 Active Directory Object Security Migration Settings

CopyRight2 supports Windows® sidHistory Active Directory attribute to separate the account migration from the resource migration and computer roll-out. Using this feature allows migrated user and group accounts to access resources still located in the source environment having permissions for the original source accounts only. Beyond that, you can use CopyRight2 to reassign NTFS and file share permissions to use the migrated new accounts and to cleanup the sidHistory attribute once it is no longer needed.

Interforest migrations

If the source and destination domain are located in different domain forests, you create a clone of each source user or group in the destination domain, having the sidHistory attribute set to the corresponding SID of the original account.

Intraforest migrations
If the source and destination domain reside in the same forest, for example a parent <-> child domain relationship, the user and group accounts will be moved between the source and destination domain, causing accounts to get a new SID, but also having the sidHistory attribute set to the corresponding SID of the original accounts. You can find more information about using the sidHistory attribute in the CopyRight2 Documentation.

CopyRight2 Active Directory sidHistory Migration Settings

It is, however, not a requirement to use the sidHistory attribute with CopyRight2. In contrast to Microsoft's ADMT, you can migrate user and group accounts directly and reassign NTFS and file share permissions of any data on-the-fly while being copied or by processing permissions without moving data.

There are specific scenarios where the use of sidHistory is not recommended. Disabling SID filtering on the source domain, a requirement for resource access using sidHistory, implicitly grants admin accounts of the destination domain administrative access to the source domain, including any resources accessible to it. This may violate given security restrictions.

The official ADMT documentation describes the impact of sidHistory using the following wording: "With SID Filtering disabled, a rogue domain administrator could clone a SID from the other domain and add it to their SID History, granting them unauthorized rights.".

This could be an issue in case of company break ups, de-mergers or other Active Directory domain reorganization scenarios.

Please download a 30-day trial version of CopyRight2.

In case of any questions or suggestions contact us at
Copyright © Sys-Manage, 1998-2020. All Rights Reserved.

Privacy Statement
Terms Of Use