The Sysadmins

Tips and tricks from the Sysadmins

ADMT Series – 10. Security Translation Wizard – Local Profiles

This post will cover the Security Translation Wizard from the context of migrating local user account profiles into the target domain. This step is crucial if you want your users to maintain the same local profile. The Translation Wizard needs to be run before migrating the computers. If you decide to skip this step, the users will receive a new profile when they logon to the target domain for the first time:

Be aware this process can take some time, I’ve seen it take up to 40-45 minutes on some older laptops.

Translation Security Wizard – For Local Profiles

From the ADMT machine, run ADMT and select Security Translation Wizard.


If you have migrated the source domain user accounts, you can select Previously Migrated Objects- this will pull the list of the source and target SIDs from the ADMT database for mapping across the new permissions. This is probably the best method if you have migrated the users across, or if you don’t need granular control over the process.

You can use a SID mapping file to link two accounts from the source and target domain. In the migration I recently went through, the accounts had already been created in the target domain, and there was no requirement for SID history. I decided that merging the user accounts wasn’t necessary. As I hadn’t migrated the users I was unable to use the previously migrated objects option, as ADMT has no history of the account SIDs in the ADMT database. A SID mapping file was used instead.

The SID Mapping file can be in the following formats:






For demonstration purposes I have migrated a bunch of users accounts so I can choose the previously migrated objects option.

Select the source and target domain, you can also select which specific domain controller to use.

Select computers from the domain or use an include file.

We will be translating profiles on a Windows XP SP3 test machine.

Choose the objects you wish to translate.

Files and folders – Select this option to translate security on files and folders on the targeted computer.
Local groups – Select this option to translate security on the local groups on the targeted computer.
Printers – Select this option to translate security on the local printers that are configured on the targeted computer.
Registry – Select this option to translate security on registry settings on the targeted computer.
Shares – Select this option to translate security on the shared resources on the targeted computer.
User profiles – Select this option to translate security on the local user profiles on the targeted computer.
User rights – Select this option to translate security on the user rights on the targeted computer.

Here you can choose to replace, add or remove the permissions. Add is the safest option and is what I would recommend in most cases.

Select Finish.

Run the pre-check and make sure it passes, then choose run pre-check and agent operation.

If you click on Agent Detail and View Log you will be able to see what actions have been carried out. We have already migrated the user Ronnie Coleman so we see:

2012-05-19 17:00:36 Translating user profile, source account='Ronnie.Coleman', target account='Ronnie.Coleman'

After the profiles have been translated you will want to migrate the computers straight away.

What happens to the profile?

To show you what’s happened I’ve logged into XP1. You can see that the target user has been granted full permission over the local profile. As we chose the Add option, the source domain user also maintains access.

The migrated user in the target domain has been added to the profile list in the registry, and the profile is pointing to the source user’s profile. You can view this under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

Target SID / User

Source SID / User

The next part of the series will run through migrating the computer objects and computer domain affiliation to the target domain.

ADMT Series – 1. Preparing Active Directory
ADMT Series – 2. Preparing the ADMT Machine
ADMT Series – 3. SID History
ADMT Series – 4. Password Export Server
ADMT Series – 5. Machine Preparation
ADMT Series – 6. Service Account Migration Wizard
ADMT Series – 7. Group Account Migration Wizard
ADMT Series – 8. User Account Migration Wizard
ADMT Series – 9. Merging Users with a Different sAMAccountName
ADMT Series – 10. Security Translation Wizard – Local Profiles
ADMT Series – 11. Computer Migration Wizard


  1. I am working on an important migration and appreciate the clearly layout steps you have provided here. Thank you!

  2. Excellent Guide, most useful, this has saved me a lot of time and effort.

    1 Question however, when selecting Computers from the domain, by default ADMT lists machines in the target domain, surely the machines to run the security translation on should be from the source domain.

  3. OK, I have followed this guide to the letter, however when all is completed I log into a client machine using the new domain credentials and I can login, my Desktop Icons/Documents/Favourites etc are all present and correct as expected but when I try and run outlook it is still pointing to the old email server. How do I point the outlook client to the new server as part of the migration?

    Kind Regards

  4. Great guide. Thank you for taking the time to post this!

  5. Best thing I read on this is the test user names….classic!

  6. Has anyone had an issue with volume mount drives. ADMT does not seem to see them and moves on right passed.

  7. Nice to see you are using bodybuilders as an example… I like that

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.