Important background information
This article covers the scenario where customers have an existing ePO server that manages DE-encrypted systems and where:
- The administrator wants to migrate users to a different Active Directory (AD) forest
- The user sAMAccountName attribute in AD has been maintained, but the user GUID has changed
A process for removing users from the old domain and adding users from the target domain must be identified. The process can vary for each environment, so the migration process recommendations are outside the realm of Technical Support. Consider engaging with Professional Services to properly determine an appropriate solution.
The simplest method to remove an existing user and add a new user is to migrate the system from one ePO server (old forest) to another ePO server (new forest). Although a migration process has been added in DE 7.1.3, this process does
not account for changing domains during the transfer, and can't be used. For details about this limitation, see
KB83186 - Statement regarding the migration of managed encrypted systems from one ePO server to another.
Issues that can occur when you try to migrate users but don't follow the procedure outlined in the "Solution" field:
- Duplicate users can occur in the ePO database. The problem occurs because of a new Globally Unique Identifier (GUID) being created when users are migrated in AD.
ePO uses the Registered LDAP Server and user GUID to track users. The new GUID tied to a different Registered LDAP server is seen by ePO as a unique user. ePO doesn't associate the GUID to the previously existing user with the same samAccountName. Encryption users are directly tied to the AD user through its GUID samAccountName or Distinguished Name. This scenario leaves both the original and new user in the database.
- Client systems manage users solely based on GUID and trying to add users with the same samAccountName result in unexpected and adverse behaviors. This scenario isn't recommended or supported.
- Add Local Domain users (ALDU) doesn't add migrated users from the new forest if the system is still a member of the previous forest. ALDU only functions if the user and system are members of the same forest. The system would first need to be moved to the new domain before trying to add any users.
- If the user from the previous domain isn't removed before moving the system to the target domain, the addition of the user from the target domain can result in duplicate users in ePO when using ALDU.