Renaming and merging (matching) users and groups during migration using an import file. (4312765)

Can a user or a group be renamed during migration and if so - how? Can two different source and target AD objects be matched and merged?

The functionality is built into the Migration Manager migration engine. Use of import files is required.

1. Renaming of objects can be performed using an import file. The import file must be a Unicode text file (if ANSI or UTF-8, all but the first column will be ignored).Text entries should be TAB separated (delimited). The header is mandatory and should contain at least these two entries: SAMAccountNameSAMAccountName One object per line should be specified. The syntax of the import file would be:

SAMAccountName SAMAccountName
sourceuser1 targetuser1
sourceuser2 targetuser2
sourceuser3 targetuser3
sourceuser4 targetuser4


IMPORTANT: -  Do not copy and paste the import file from anywhere but a plain text editor or export. This can cause formatting issues even if the article appears fine visually. When using this file to create new user accounts or groups and there is already a user/group in target with the same name as source, the file above will not work.  It is absolutely necessary to add at least the name attribute, the file should look like:

SAMAccountName SAMAccountName name
sourceuser1 targetuser1 targetuser1

- The above will create the target object and set the SAMAccountName and Name to targetuser1. The same method would apply to a group.

- If object names contain spaces there is no need to use quotation marks. For example when renaming group with the name Executive Users to Target Executive Users the syntax is:

SAMAccountName SAMAccountName name
Executive Users Target Executive Users Target Executive Users

2. The same file format can be used to populate other target attributes, the syntax could be this:

SAMAccountName  SAMAccountName  name  displayname  userprincipalname
sourceuser1  targetuser1  targetuser1  Target User1  targetuser1@dom.com
sourceuser2  targetuser2  targetuser2  Target User2  targetuser2@dom.com
sourceuser3  targetuser3  targetuser3  Target User3  targetuser3@dom.com

3. The same import file can be used to merge with existing objects.  When using such a file two completely different accounts can be merged, e.g. Peter M. from source can be merged with James T. from target, the same applies to groups.  In rare cases admins use the same approach to merge a built in group with another (regular) group. When merging users or groups using samacountnamesamaccountname, make sure that matching by samaccountname is enabled in domain pair properties, otherwise DSA will attempt to create a new user with same samaccountname and post a conflict instead of merging to existing user.

IMPORTANT: The CN attribute cannot be changed using the CN as syntax. In order to modify the CN value, the Name attribute must be used. This will change the CN name on target.

NOTES:

- The maximum number of characters that can be used when renaming a user or group is 64.  If this number is exceeded you will receive an error message after the migration has run. Please see the attached for a sample log entry of the error:
LDAP error 0x13. Constraint Violation (00002082: AtrErr: DSID-03050B04, #1:0: 00002082: DSID-03050B04, problem 1005 (CONSTRAINT_ATT_TYPE, data 0, Att 3 (cn):len 130).

- Import files work with migration only; this is not applicable to synchronization .

- If synchronization is turned on and the attributes being changed during migration are not excluded, synchronization will over write the changes.

- When migrating accounts using an import file, they will always be migrated as a flat list to the location you specify during the migration session no matter what is specified within the migration session settings. If you wish to place objects that are being renamed via import file into the same OU structure as source, one possible option maybe to migrate the objects normally first, then rename them later using the import file and a merging migration session. When performing this make sure the merge and leave account where it was before the migration option is selected.

- There are two ways to exclude attributes:

1. Excluding attributes when configuring Source and Target domain pair will exclude them from all subsequent migrations and synchronization for the pair of domains.

2. Excluding attributes via a configuration script, on the corresponding tab of configuration properties (Configure Synchronization), will exclude them from synchronization only.