Home

JumpCloud Active Directory Migration Utility (ADMU)

Overview

The JumpCloud Active Directory Migration Utility (ADMU) is an automation tool designed to help administrators migrate Windows devices and users from Active Directory (AD) or Entra ID (Azure AD) to JumpCloud management—without disrupting user profiles, data, or productivity.

What Problem Does ADMU Solve?

Active Directory and Entra ID manage user accounts fundamentally differently than local Windows accounts. JumpCloud can manage local Windows accounts, but it cannot directly take over AD or Entra ID domain accounts. This creates a challenge during migrations:

• Domain accounts are managed by AD/Entra ID controllers and use domain-based authentication
• Local accounts are managed by the Windows system itself and can be managed by JumpCloud
• Manual conversion between these account types requires dozens of technical steps across the Windows registry, file system permissions, user profiles, and system configuration

Without ADMU, administrators would need to manually:

1. Create new local user accounts
2. Copy and merge user registry hives (NTUSER.DAT and UsrClass.dat)
3. Update file system permissions and ownership
4. Re-register Universal Windows Platform (UWP) applications
5. Configure domain settings and manage system unbinding
6. Install and configure the JumpCloud agent
7. Bind JumpCloud users to the migrated accounts

ADMU automates this process, reducing manual work and packaged as a single executable.

How ADMU Works

At a very high level, ADMU performs a profile conversion process which follows these steps:

1. Profile Registry Migration

• Creates a backup of the domain user's registry hives (NTUSER.DAT and UsrClass.dat)
• Creates a new local Windows user account with the specified username
• Copies the domain user's registry data to the new local user profile
• Preserves user preferences, settings, and application configurations

2. Permissions & Ownership

• Sets NTFS file system permissions on the user's profile directory
• Updates registry permissions to ensure the new local user has proper access

3. Application Re-registration

• Re-registers Universal Windows Platform (UWP) apps to the new local user
• Preserves application state and user-specific app data

4. System Management

• Optionally unbinds the system from Active Directory or Entra ID domains
• Can remove devices from Microsoft Intune MDM management
• Installs the JumpCloud agent to enable cloud-based management
• Binds the migrated local user to their corresponding JumpCloud user account

5. Post-Migration Configuration

• Can configure the new local user as an administrator if specified
• Sets the default Windows login user to the newly migrated account
• Optionally forces a system reboot to complete domain unbinding

Deployment Options

ADMU provides flexible deployment options to suit different migration scenarios:

GUI Application (Interactive Migrations)

Best for: Individual device migrations, testing, and smaller deployments

• Download the gui_jcadmu.exe from the releases page
• Run the executable on the target Windows device
• Interactive graphical interface for selecting users and configuring migration options
• Real-time validation and status updates
• Ideal for IT administrators performing hands-on migrations

Learn more about the GUI →

CLI Executable (Remote/Scripted Migrations) ← Recommended for Remote Deployments

Best for: Automated deployments, remote migrations, and mass migrations

• Same gui_jcadmu.exe executable, invoked with command-line parameters
• Can be deployed via JumpCloud Commands to remotely migrate devices
• Supports bulk migrations across multiple systems
• Enables migrations at scale without physical access to devices
• Preferred method for remote migrations due to simplified deployment and consistent behavior

Learn more about remote deployments →

PowerShell Module (Alternative Option)

Best for: Legacy workflows or environments requiring native PowerShell cmdlets

• Install from PowerShell Gallery: Install-Module -Name JumpCloud.ADMU
• Provides the Start-Migration and Start-Reversion cmdlets for programmatic access
• Full parameter control for advanced migration scenarios

Note: While the PowerShell module is available and maintained, the CLI executable method is recommended for most remote migration scenarios as it offers easier deployment, better consistency, and simplified troubleshooting.

Learn more about the PowerShell module →

Key Features

✅ Profile Preservation - Maintains user files, settings, and application data
✅ No Secure Channel Required - Works even when systems can't reach domain controllers
✅ Domain Unbinding - Removes systems from AD and Entra ID domains
✅ Intune MDM Removal - Disconnects devices from Microsoft Intune management
✅ Agent Installation - Automatically installs and configures the JumpCloud agent
✅ User Binding - Automatically associates migrated users with JumpCloud accounts
✅ Administrator Promotion - Can bind users as local administrators
✅ Bulk Migration Support - Bulk migrations across hundreds of devices
✅ Detailed Logging - Comprehensive logs for troubleshooting and audit trails
✅ Migration Reversion - Ability to roll back failed or unwanted migrations

Important Limitations of Profile Preservation

While ADMU preserves most user data and settings during migration, there are technical limitations imposed by Windows security mechanisms that cannot be overcome:

What Cannot Be Migrated:

• ❌ Certificate Store Credentials - Domain user certificates, private keys, and certificate-based authentication tokens cannot be transferred
• ❌ Stored Passwords - Cached passwords in Windows Credential Manager, browser password stores, and application credentials are domain-bound and cannot be migrated
• ❌ Default Application Preferences - Windows 10+ uses a hash-based protection mechanism that prevents programmatic changes to file type associations and default browser settings, meaning user preferences for default applications (PDF readers, web browsers, etc.) cannot be reliably preserved during migration. Users will need to reconfigure these settings after migration.

What Requires Re-configuration:

• 🔄 Microsoft Office/Outlook - Requires re-authentication
• 🔄 Cloud Sync Services - OneDrive, Box, Google Drive, etc. require re-authentication (see UpdateHomePath parameter considerations)
• 🔄 VPN & Network Connections - May require re-entry of credentials
• 🔄 Windows Hello Biometrics - Fingerprints and facial recognition must be re-enrolled

Why These Limitations Exist: Windows intentionally binds these security-sensitive items to the user's Security Identifier (SID) and domain context as a protective measure. When a domain user is converted to a local user, the SID changes and domain-based security boundaries no longer apply. This is a fundamental Windows security design that applies to all migration methods, not just ADMU.

For a complete list of known limitations and workarounds, see the Limitations Documentation.

Quick Start

Ready to get started? Follow these steps:

1. Plan Your Migration - Review Prerequisites & Planning
2. Choose Your Method - Select GUI, CLI, or PowerShell based on your needs
3. Test First - Always test on a non-production account before migrating real users
4. Review Limitations - Check Known Limitations
5. Execute Migration - Follow the deployment guide for your chosen method

Downloads

• GUI & CLI Executable: GitHub Releases
• PowerShell Module: PowerShell Gallery
• Source Code: GitHub Repository

Support & Resources

• 📖 Getting Started Guide: Getting Started
• 🔧 Troubleshooting: Common Errors & Solutions
• 📋 Known Limitations: Limitations Documentation
• 💬 Get Help: GitHub Issues | support@jumpcloud.com
• 📝 Feedback: Feedback Form

---

Supported Operating Systems: Windows 8.1, 10, 11 | View OS Details →