Scripted Password Migration with ADMT (The poor man's FIM)

A domain migration is a tricky thing with many different possible requirements. One of those requirements can be ongoing password synchronization from one domain to another. This could be for a situation where long-term coexistence with accounts in multiple domains is a requirement and the client wants one source for all passwords. Microsoft's Forefront Identity Manager 2010 R2 provides the capability to provide real-time synchronization from a source domain to multiple domain targets. That's great if you are already comfortable with FIM and ready to set up a multiverse, install PCNS agents on all your domain controllers, and configure mapping rules. If however your requirements are a little less stringent, then I would humbly recommend this scripted solution I worked out with ADMT.

The ADMT tool from Microsoft includes the ability to migrate passwords along with user accounts by leveraging the Password Export Service installed on a domain controller in the source domain.  The usual purpose of the password migration is to set the password one time when the user account is migrated.  When the password is migrated, the ADMT tool sets the flag for the password to be changed the next time the user logs on.  The password can be remigrated against a set of users, and if the password is not different from the last time, the ADMT tool does not change the password or set the flag.  The ADMT tool has a command line interface, so my first thought was "scripting time!"  The script below makes use of an include file in the format of SourceName,TargetName for the headers.
#Script to synchronize passwords
#Ned Bellavance

#First let's get the Active Directory module imported
Import-Module ActiveDirectory
#Now let's get the users we plan to sync from the include file
$users = Import-Csv -Path includefile.txt
#Now let's run that admt tool to update their password
Invoke-Expression "admt password /includefile:includefile.txt /SD:[SourceDomain] /TD:[TargetDomain] /PS:[PasswordExportServer]"
#Now that we have synced the password, let's go ahead and clear that change password flag
foreach($user in $users){
    Get-ADUser $user.TargetName | set-aduser –changepasswordatlogon $false
You can easily change the include file to use different file headers.  This is useful if you are planning to change their SamAccountName when you sync the user.  If you choose to use a different header for the SamAccountName, just be sure to change the $user.TargetName to whatever the header is.  The script is intended to be run from the server where the ADMT tool is installed and the server should have the Active Directory PowerShell module available.

This script can be set up as a running task.  By doing that you have a simple password synchronization solution that will run as often as you would like.  It's still not a real-time synchronization solution.  If that's what you want, then FIM's your solution.  But if you want quick, dirty, and cheap then this will get you there.

Share and Enjoy!

Labels: , , , , , ,