A. Typically, the Windows 2000 Active Directory Migration Tool (ADMT) is the best option for moving users between forests because it can also migrate passwords. If you require more flexibility than ADMT offers, you can use a Microsoft tool called ClonePrincipal (Clonepr), which is designed for interforest user and group copying. (You might already be aware of MoveTree, which is a tool used for intraforest moves only, although it does maintain passwords.)

You can download ClonePrincipal here. The tool consists of several script files that you can modify and a DLL that contains much of the tool's logic. ClonePrincipal copies user objects to the target forest instead of moving them, so the user object in the original forest is unaffected. ClonePrincipal can copy users from Windows NT 4.0 and Active Directory (AD) sources. It also populates the SIDHistory attribute, which helps maintain access to resources that the original account had, for example to files on a file server.