Chat now with support
Chat with Support

Migration Manager for AD 8.14 - Resource Kit User Guide

CertMgr

In Active Directory environments, users can use encryption certificates to give access to encrypted NTFS files. The certificates can be managed from the Certificates Microsoft Management Console (MMC) snap-in.

If a source account certificate is not migrated to the target account, the user loses the corresponding capabilities, such as access to the encrypted file system.

Certificates marked as exportable (which is the default option) can be migrated. The certificate migration can be done manually, with each user exporting and then importing the certificate from the Certificates snap-in. Alternatively, the CertMgr utility can be used to automate the procedure.

CertMgr Configuration

CertMgr Configuration

The CertMgr utility is installed to the Resource Kit folder.

To export the certificates. Run the following command:

certmgr /mode:e

To import previously-exported certificates, run the following command:

certmgr /mode:i

Other options are taken from the CertMgr.ini file. You can create the file by following this template:

; *********** CertMgr.ini **********
[CertMgr]
CertDir=
; The folder in which CertMgr will put the certificates during export
; and from which certificates will be taken during import.
; The default is the folder in which CertMgr is located.
; You can specify a UNC (network) or local path.
; CertMgr supports environment variables (e.g., CertDir=%SYSTEMROOT%\certs)
; and relative paths (e.g., CertDir=..\certs or CertDir=.\certs).
; If the folder does not exist, it will be created automatically.
 
Exportable=yes|no
; Specify whether CertMgr should mark the certificates as exportable when it imports them.

Caution: By default CertMgr marks the processed certificates as exportable (Exportable=yes).

[Log]
LogFileDir=
; Output folder for the CertMgr.log file.
; The default is the folder in which CertMgr is located.
; You can specify a UNC (network) or local path.
; CertMgr supports environment variables and relative paths,
; If the folder does not exist, it will be created automatically,
; If the file already exists, it will be appended.
Filter=-1
; Bit mask for log details level.
; ERROR = 1,
; WARNING   = 0x2,
; INFORMATIONAL = 0x4,
; SUMMARY = 0x8,
; INTERNAL_ERROR = 0x10,
; TRACE_MSG = 0x20,
; The default is -1, which means that all the information is logged.

Using CertMgr

Using CertMgr

To export the certificates installed locally, run the following command:

certmgr /mode:e

To import previously-exported certificates on the local computer, run the following command:

certmgr /mode:i

To automate certificate export or import for multiple users, you can create logon scripts to run the command “certmgr /mode:e” for all users in the source domain, and “certmgr /mode:i” for users in the target domain.

For each user, CertMgr will create a certificates file in the folder specified in the CertMgr.ini file. The file will not be password-protected, so please use NTFS permissions to guarantee certificate safety.

If export is run twice for the same user, it will simply overwrite the file it previously created.

CertMgr replaces the certificate if it already exists in the store.

Caution: Keep in mind that only one user account can own a certificate. Once a certificate is imported by the target account, it can no longer be used by the source account.

The tool does not delete the certificate files after import. Administrators need to delete the files themselves after they are no longer needed.

SSN Creator

The SSN Creator utility can export the migration account mapping to the Domain Migration Wizard session format. This format can be used to re-permission resources by other applications such as Quest Consolidator.

To export the mapping, take the following steps:

  1. Run SSNExport from the Resource Kit folder.
  2. Fill in the parameters and click Generate SSN.

 

Related Documents