The ClonePrincipal utility is a core tool for use in inter-forest restructures. In this lesson, you'll learn how to obtain and use it. ClonePrincipal is supplied on the Windows 2000 Server CD-ROM as one of the support tools.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
ClonePrincipal can copy Windows NT user attributes onto objects in a Windows 2000 domain and is used only with an inter-forest restructure. The cloning procedure works by reading the objects in the source domain, so it doesn't change any of the objects in any way. It has the following set of attributes:
There's no ClonePrincipal program as such. Instead, the actual files that make up the ClonePrincipal tool are Clonepr.dll, Adssecurity.dll, and Adserror.dll. You can control the ClonePrincipal object from scripts or programs that you write. The heart of ClonePrincipal is Clonepr.dll, which implements the DSUtils.ClonePrincipal COM object.
The ClonePrincipal COM object provides the ICloneSecurityPrincipal interface, which can be accessed via three methods:
Dim clonepr Set clonepr = CreateObject("DSUtils.ClonePrincipal") clonepr.Connect "Chaicodc1", "chaico", "Michaelis", "milesco"
This code would create an object and then connect to the CHAICO and MILESCO domains so that items can be copied from a computer called chaicodc1 in Chaico into Michaelis in Milesco.
clonepr.CopyDownlevelUserProperties "ChaicoRobM", "MilescoRobM", 0
The properties of user ChaicoRobm are copied to user MilescoRobm. The user ChaicoRobm must exist in the source domain. If the user MilescoRobm doesn't exist, it's created. If the user MilescoRobm already exists, the properties (in other words, group memberships and SIDhistory information) of ChaicoRobm are added to it. This method can be used to combine a number of different accounts into a single one, with permissions in a number of source domains. When a user is copied in this way, the password is set to a null string and the account is disabled.
clonepr.AddSidHistory "chaicoRobm", "milescorobm", 0
The SID value of chaicorobm is added to the SIDhistory property of milescorobm.
The command can also allow you to assign a collection of SIDhistory attributes from a variety of source objects to any user in the destination domain.
The sample scripts that are provided with ClonePrincipal are shown in Table 9.9.
Table 9.9 ClonePrincipal Scripts
|Sidhist.vbs||Used to copy the SID of a source object into the SIDhistory of an existing security principal. If required, it can aggregate the SIDs of multiple users from a source domain into one user account on the destination.|
|Clonepr.vbs||Clones a single object. It creates the destination object (user, global group, or domain local group) if it doesn't already exist, copies the properties of the source principal to the destination principal, then copies the source SID to the SIDhistory of the destination. When cloning a global group or user, it establishes group memberships in the destination domain to reflect the memberships in the source domain. When cloning a shared or domain local group, it copies the entire source membership list to the destination local group.|
|Clonegg.vbs||Clones all global groups in a domain.|
|Cloneggu.vbs||Clones all global groups and users in a domain.|
|Clonelg.vbs||Clones all "shared" or domain local groups in a domain.|
The scripts are executed by Windows Script Host using the Cscript command.
The power of ClonePrincipal lies in the fact that it can be driven from user-written scripts. The implication for custom migrations is that specific requirements on the filtering and management of how objects are cloned can be implemented as programs. For general management, it isn't recommended because it must be driven from a script file.
Using the default ICloneSecurityPrincipal::CopyDownlevelUserProperties method, the following Windows NT 4.0 user properties are copied from the source account to the destination account. These will overwrite existing properties on the destination account:
The following properties are explicitly set on the destination user:
Hence, once migrated, you'll need to reenable the user accounts and let the users know that a blank password has been set on their account.
User properties unique to Windows 2000 aren't copied by ClonePrincipal, even if the source domain is Windows 2000.
For more detailed information, read the clonepr.doc file in the Tools folder.
In this practice, you'll perform an inter-forest copy using the ClonePrincipal tool. You'll use a single command to invoke the tool and clone the Mig2 user in the MIGRATE domain. It's important that the source and destination domains be properly configured for the command to work. Ensure that the premigration tasks that were detailed earlier in this chapter for ADMT have been completed. All command-line operations must be performed on TRAINKIT1.
cscript clonepr.vbs /srcdc:migrate1 /srcdom:migrate /srcsam:mig2 /dstdc:trainkit1 /dstdom:trainkit.microsoft.com /dstsam:mig2x /dstdn:CN=mig2x,OU=migrate,DC=trainkit, DC=microsoft,DC=com
If you have problems typing the command accurately, you can use the script named Clonescript.bat provided in the Tools folder.
The command uses the Clonepr.vbs script to copy the user Mig2 from the domain MIGRATE into the user Mig2x in the Migrate OU in the trainkit.microsoft.com domain.
When ClonePrincipal clones a user, it is set as disabled, which is why there is a red X over the user name icon.
Now test the Mig2x account by logging on and off TRAINKIT1, using the Mig2x account without any password. When prompted to change the password, type secret.
This lesson completes all practices you'll be doing with an inter-forest migration. You might want to experiment some more with user and group cloning before moving on to the practice on intra-forest migration in Lesson 8, where you'll reconfigure the MIGRATE domain into the MIGKIT domain and then use the MIGKIT domain for an intra-forest migration.
In this lesson, you learned that ClonePrincipal is a set of scripts that can be installed from your Windows NT Server CD-ROM. You also learned that you can use it to aid with scripting an inter-forest restructure, and finally, you used the ClonePrincipal tool to stage an incremental migration (in other words, migrating a single user).