Today, a short post about a “small” issue we encountered with a migration project.
We are currently busy with an intraforest migration. The infrastructure is still based on Windows 2003 Infrastructure. To perform the migration, we have used the famous ADMT Tool. As recommended we started by migrating universal groups from source domain to target domain. The migration was just started and should last for some weeks. After some hours, people managing Active Directory started to freak out because group membership was lost. This was obvioulsy caused by the migration process.
We were all a little bit under stress with this anouncement. ADMT tool was supposed to keep and migrate this information over. We were quite confident that the problem was something else (were we ?). We decided to look into the Active Directory and indeed group membership information was not visible or partially visible.
We quickly explain to the people that was a “normal” behavior due to the migration activities. Indeed, if you move groups to the target domain and the user accounts are still in the source domain, you are not able to get the full picture about group membership. To illustrate the situation, we have checked the group membership for a user called Test_A. The screenshot below shows that the user Test_A is located in the Child.domain.lab Domain and you can see group membership for groups located in the Child.domain.lab domain.
Using ADMT Tool, we have migrated the group GG_Nested_A group. User Test_A was a member of this group. This screenshot shows the members of the group GG_Nested_A and you can clearly see that the user TEST_A is still a member of this group.
Again, the information was not visible but not lost.
People started to calm down because they were assured that group membership was not lost. On the other hand, people managing Active Directory started to wonder how this would affect their day to day business. This situation make it difficult to update and manage group membership because you have to look in two locations and you cannot get all the information. We had to come with a quick solution and have people working as before
To solve this issue, we simply followed the following knowledge base from Microsoft
Go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\DirectoryUI (If the “folder” Windows and/or DirectoryUI does not exist, create it)
Right-click on the DirectoryUI “Folder” and select New > DWORD Value
Double-Click AlwaysShowExternalGroups and type 1 in the value
At this stage, your registry should look like this
Click to enlarge picture
You are not done yet. The KB requires you to download an hotfix. If you have Windows 2003SP2 R2 installed, you can simply copy the adprop.dll file from your server and copy it to the local machine into the following directory %windir%\system32
You might need to reboot your machine to have the changes applied. After that, you will be able to see group membership information independently of group location
As mentioned in the KB, this is not a computer wide settings. If you have multiple users working on a computer and they need to have the same functionality, you will need to update the information in the registry for all of them.
As you can see, this was not really a big issue but more an annoyance for the people managing the Active Directory. Hopefully, this situation was known and a quick solution has been implemented. We were able to continue our migration.
That’s it for this post
Till next Time
One thought on “ADMT Migration – Universal Group membership not visible”
thank you writer. keep the passion in writing I like this article well to add knowledge that I did not know before. How else do you complete this process especially for beginners? is there anything difficult?