Computer Objects Migration
In Active Directory (AD) migrations, the transfer of user and group objects between domains is a common first step. Usually, the need to migrate computer objects follows shortly after. When the goal of the migration is limited to synchronizing identities from the destination AD environment to Microsoft Entra ID for cloud-based access, it is typically sufficient for computers to be Microsoft Entra ID joined.
However, in scenarios where computer objects must also be fully integrated into the destination AD environment, additional support is required. This feature add-on is designed to facilitate the seamless migration of computer objects for your Active Directory migrations, ensuring they are properly joined and managed within the new domain.
The flow diagram below illustrates the complete process followed by the agent, including its download, installation, and triggering. The triggering process is initiated by the MigrationWiz Console and the MigrationWiz User associated with the object.
End User Step-by-Step Computer Move Migration
For step-by-step instructions your end users need to follow during a computer move migration, please make sure to review and share the following article.
Important
We strongly recommend that the steps listed in the article above, are followed closely to ensure a smooth transition and user experience.
Limitations
- Apple and Linux machines operating systems are not supported for Computer Objects Migration.
- The process requires user interaction to initiate; the end user must accept a prompt to start the migration.
- The machine must remain active until the migration is fully completed. If the machine goes inactive or shuts down, the process may need to be restarted from the beginning.
- The user being migrated, and initiating the computer move agent, must be a Local Administrator if you wish to have the profile Re-ACL’d during the move process to the new target domain.
- Active Directory end users must first be migrated using MigrationWiz before migrating their corresponding end user computers. The computer objects migration does not support migrating computer objects for pre-existing users in the destination that were not migrated using MigrationWiz.
Prerequisites
-
Make sure to migrate the SID History of the user linked to the computer account you are migrating. To review the details of this process, please refer to the Write SID History requirements and steps.
Important
For accurate permission updates, we recommend that the user being migrated launch the application themselves. If a non-admin user is logged in, the application will prompt for administrative credentials. In that case, the admin account used to start the application will be treated as the source account for file permission updates.
- Ensure that network sharing is enabled on both the source and target computers.
- Ensure that the MigrationWizComputerMoveAgentConfig .json file is present in the path “\\hostname.domain\MigrationWizComputerMoveAgentConfig". If the file is missing, navigate to the MigrationWizComputerMoveAgentConfig folder in the source Active Directory environment where the source server agent is installed. Right-click the folder, select Properties > Sharing > Advanced Sharing, enable Share this folder, then click Apply and OK.
By default, this is a hidden folder and you may need to enable the option to show hidden files to see this folder. - Identify the IPv4 Addresses.
- Source Domain DNS. Obtain the IPv4 address of the DNS server in the source (first) domain. This is typically provided by your IT administrator or can be found in the network settings on a computer already joined to that domain.
- Target Domain DNS. Similarly, obtain the IPv4 address of the DNS server in the target (secondary) domain.
- Configure the Network Adapter Settings.
- Open DNS Manager.
- On the source Domain Controller, click Start, type DNS, and open DNS Manager.
- Select the Server.
- In the left pane, expand the server node and right-click the server name.
- Select properties.
- Configure Forwarders.
- Go to the Forwarders tab.
- Click Edit.
- Add the Target Domain Controller.
- In the Edit Forwarders dialog, enter the IP address of the target Domain Controller.
- Click OK to save.
-
Apply and Confirm.
- Back in the server Properties window, click Apply and then OK to finish.
- Open DNS Manager.
-
Verify Connectivity.
- Ping Test.
- Ping <source_DNS_IP> – to ensure the computer can reach the source domain’s DNS server.
- ping <target_DNS_IP> – to verify connectivity with the target domain’s DNS server.
- Check DNS Resolution.
- Use a command like nslookup to ensure that domain names can be correctly resolved by both DNS servers.
- Similarly, obtain the IPv4 address of the DNS server in the target (secondary) domain.
- Ping Test.
After checking all the prerequisites, you need to set up the Computer Agent Installation following the next steps.
MigrationWiz Computer Move Agent Installation
Important
Ensure you have the latest version of the Computer Move agent before you start your migration process. First, uninstall the existing version, then install the most recent release.
Two methods are available to complete the Computer Move Agent Installation.
Automated Deployment via Source Agent
When objects are selected from an Organizational Unit (OU) in the Source Agent interface on the Source Domain Controller, the application automatically verifies if the Computer Move Agent installer ComputerMoveAgent.installer.msiexists at the following path on the Domain Controller machine:
C:\Downloads
- If the installer is not detected, it is automatically downloaded and placed in the specified location.
- Once available, administrators can deploy the installer using Group Policy or any other preferred deployment mechanism.
Manual Download via MigrationWiz Console
Administrators can manually download the installer by navigating to the MigrationWiz Console. Within the toolbar, select the following dropdown option:
Computer Move > Computer Move Agent Download
Computer Move Process
To follow the process of the Computer Object migration you need to ensure that:
- The User Object was migrated to destination AD environment.
- The Mini Agent was installed and communicating to MigrationWiz console.
Important
Please ensure that your computer remains powered on throughout the process. If the computer is turned off or the application is closed before completion, the process will need to be restarted by the end user.
After both steps are completed, the console can display the following statuses:
- The mini agent has been started and configured successfully on the end user computer. A purple triangle confirms proper communication between the mini agent and the MigrationWiz console.
- The status indicator for the agent changes to green, confirming that the migration was successful.
- The agent displays a red status indicator, communicating that the migration failed due to an error.
Now Select the corresponding line item and activate the Computer Move.
MigrationWiz displays the standard side-by-side migration screen, similar to a mailbox project, allowing you to schedule the migration in advance. This lets you automate the process at a specific time without needing to trigger it manually or you can start the migration right away.
Whether you choose to schedule the migration or start it immediately, the system will prompt you to authorize a restart to complete the process. This ensures your computer successfully joins the new domain.
After the computer successfully joins the new domain, the agent reports its status back to the console. If the process fails, it reports the failure. The purple triangle then updates to green for success or red for failure.
Computer Object Properties
The computer objects are added into the available moves in the MigrationWiz console, as it is possible to pre-stage the objects inside the destination Active Directory.
To perform this, they are migrated from the source to the destination in exactly the same way that user and group objects are performed. The computer Objects are added to the migration project in the Source Agent and rendered inside the Destination AD by the Destination Agent in the same way so from this step on, you can follow the steps described in the Agent Configuration of the Active Directory Migration Guide.
Properties/Attributes Migration
When working in the console, it's important to have visibility into the changes made to your objects. The MigrationWiz console provides a detailed audit trail to help you track updates and troubleshoot effectively.
The console details section displays the following columns and statuses:
- The target Attribute of the object.
- The Status of the migration which can include:
- Ready for Migration
- Migrated to Destination
- Read-only Attribute
- Failed Migration to Destination
- The Error(s) incurred during the migration process.
Active Directory Computer Object Properties
The following objects are part of the migration process, please review them carefully.
| Name | Directory Searcher Property |
| Managed by | "managedBy" |
| Member of | "memberOf" |
| userAccountControl | "userAccountControl" |
| description | "description" |
| displayName | "displayName" |
| HomePage | "wWWHomePage" |
| isKnownParent | "printShareName" |
| iPv4Address | "iPv4Address" |
| localPolicyFlags | "localPolicyFlags" |
| OperatingSystem | "operatingSystem" |
| OperatingSystemHotfix | "operatingSystemHotfix" |
| OperatingSystemServicePack | "operatingSystemServicePack" |
| OperatingSystemVersion | "operatingSystemVersion" |
| sAMAccountName | "sAMAccountName" |
| servicePrincipalName | "servicePrincipalName" |
| UserPrincipalName | "userPrincipalName" |
Important
The userPrincipalName attribute is read-only when accessed through Lightweight Directory Access Protocol (LDAP). Any attempt to modify it via LDAP will fail, and an error will be logged indicating that the attribute is not writable.
Active Directory Read-only Object Properties
The following table shows the read-only properties which cannot be modified.
| Name | Directory Searcher Property |
| ObjectGUID | "objectguid" |
| ObjectCategory | "objectcategory" |
| SamAccountName | "samaccounttype" |
| DistinguishedName | "distinguishedname" |
| ObjectClass | "objectclass" |
| LastLogonDate/LastLogonTimestamp | "lastlogontimestamp" |
| primaryGroupID | "primarygroupid" |
| countryCode | "countrycode" |
| objectSid | "objectsid" |
| codePage | "codepage" |
| CN | "cn" |
| Name | "name" |
| lastLogon | "lastlogon" |
| logonCount | "logoncount" |
| instanceType | "instancetype" |
| accountExpires | "accountexpires" |
| dSCorePropagationData | "dscorepropagationdata" |
| BadLogonCount | "badpwdcount" |
| LastBadPasswordAttempt | "badpasswordtime" |
| PasswordExpired/PasswordLastSet | "pwdlastset" |
| Modified | "whenchanged" |
| Created | "whencreated" |
| uSNChanged | "usnchanged" |
| uSNCreated | "usncreated" |
| nTSecurityDescriptor | "ntsecuritydescriptor" |
| createTimeStamp | "createtimestamp" |
| adspath | "adspath" |
| msds-user-account-control-computed | "msds-user-account-control-computed" |
| modifyTimeStamp | "modifytimestamp" |
| isCriticalSystemObject | "iscriticalsystemobject" |
| sDRightsEffective | "sdrightseffective" |
| CanonicalName | "canonicalname" |
| NTHash | "NTHash" |
| LockedOut | "lockoutime" |
| isDeleted | "isDeleted" |
| LastKnownParent | "lastknownParent" |
Understanding UserAccountControl (UAC) Behavior for AD Computer Accounts
When configuring the UserAccountControl attribute on an Active Directory (AD) computer account, it's important to be aware of how Windows interprets and adjusts these values.
For example, setting the value 65536 (which corresponds to the DONT_EXPIRE_PASSWORD flag) on a computer account may appear to change after the attribute is refreshed. The value is updated to 66048.
This happens because the value 512 (NORMAL_ACCOUNT) is automatically added by Windows to identify the object as standard user or computer account.
And the following applies:
65536 (DONT_EXPIRE_PASSWORD) + 512 (NORMAL_ACCOUNT) = 66048
This automatic adjustment is by design. Not all UserAccountControl flags apply to computer accounts. If an unsupported flag is set, Active Directory will ignore it and enforce default or valid value, often resulting in the attribute being set or reset to include NORMAL_ACCOUNT.
For more details on valid flags and their meanings, please refer to Microsoft's documentation: UserAccountControl property flags - Windows Server | Microsoft Learn.
Printer Object Migration
Printer objects are automatically migrated from a source AD domain to a target AD domain using their respective source and target agents.
The target agent manages the entire migration process:
- Migrates the AD printer object.
- Once the printer is migrated, the driver is installed automatically for the printer as long as the driver can be found and the driver is certified.
- Creates the new printer device.
- Configures the printer sharing in Active Directory.
It ensures that both the printer device and its corresponding AD printer object are fully migrated to the target AD server.
Preconditions
Before starting the printer migration, make sure the following steps are completed:
- Go to Printer Management application and click on New to create a new printer.
- Enable Printer Sharing during set up.
- User-created ports must be manually registered in the destination with the same name before starting the migration.
- On the Domain Controller, verify if your printers are listed. If you do not see them, right-click and select Move to move them in the appropriate OU.
- For each printer, right-click and select Display in Directory.
- Confirm all printers are visible in Active Directory.
Important
- You must have Administrator rights.
- The agent must be run as an administrator from an AD administrator account with the same permission level.
- Enable printer sharing on each printer being migrated.
To start with the migration process, make sure you follow the steps:
- Create a new printer device on the target machine.
- Enable printer sharing.
- Add it to Active Directory.
- Set attributes for the AD printer object
- Start with the migration to the target AD domain.
Note
For detailed instructions on how to share printer devices and list them in Active Directory, please refer to the online guide: how to add a printer in active directory.
On the target Windows Server, the target agent configures the attributes of the AD printer object.
Restrictions
- Migrated printer devices cannot be deleted automatically. You must remove them manually.
- Migrated AD printer objects are protected from accidental deletion, as they are linked to a printer device. Removing them may cause unexpected issues during future migrations.
- Managing printer devices and drivers requires full administrative privileges. If these privileges are not granted, the printer object migration will fail.
Limitations
- The printer migration may fail in the following cases:
- Driver not found or the found Driver on destination is not certified.
- Invalid printer port name. Registered printer port of the same name does not exist or is not found on the destination.
- Duplicate printer name. Shouldn’t be the case, as the Printer Manager catches that before you can create the same printer. However, the system still performs this check in case a printer name was changed.
- The process may fail if printer sharing is not enabled on the source system.
- If you’ve reviewed the limitations above and a non-listed issue persists, please contact support for further assistance.
Printer Object Properties
The following Printer Objects Properties are part of the migration process, please review them carefully.
| Name | Directory Searcher Property |
| Description | "description" |
| Location | "location" |
| Network Address | "printerNetworkAddress" |
Important
The above properties are migrated and updated in subsequent migration passes.
Active Directory Read-only Object Properties
The following table shows the read-only printer properties which cannot be modified.
| Name | Directory Searcher Property |
| Name | "name" |
| Driver | "driverName" |
| Port | "portName" |
| Share Name | "printShareName" |
| Published | "published" |
| Driver Version | "driverVersion" |
| Model | "printerModel" |
| Queue | "printQueue" |
| Status | "printStatus" |
Important
The above properties are migrated only once and cannot be updated in subsequent migration passes.