Welcome to the forums,
Don't worry, you definitely got other methods than making people admins!
If supported on both ends you should be able to use imapsync plain auth.
So what your seeing is that the admin accounts in the most recent versions automatically have fallback auth set incase your external AD auth is unavailable or configured improperly.
If you've already set up this domain against the AD for auth you could alternatively enable fallback auth for everyone on it:
Then 'cut' your connection to the AD box.
zmprov md migration.domain.com zimbraAuthFallbackToLocal TRUE
Some create a domain with local auth just for migration - you can do this from the admin gui of course, but the commands are:
When you provision the accounts don't make the password too easy, because even though you're going to use the AD later (&/or change fallbackauth back) it's still not a good idea to have simple pass (you would use ‘’ for like a null if your just going to use AD the whole time)
zmprov cd migration.domain.com zimbraAuthMech zimbra
Obviously you will have more on these lines for account names etc, see:
zmprov ca firstname.lastname@example.org password
Zmprov - Zimbra :: Wiki
Zmprov Examples - Zimbra :: Wiki
Bulk Provisioning - Zimbra :: Wiki
So now you have both the shadow accounts & zimbra accounts with known passwords.
Then imapsync from unix boxes (email@example.com) > zimbra boxes (firstname.lastname@example.org)
And script a rename of the accounts to the main domain that uses external auth (& no fallback):
When your all done just delete that migration.domain.com
zmprov ra email@example.com firstname.lastname@example.org
Note if you are on the Network Edition:
After the account renames they might not make it in-to incremental backups until the next system full backup; either automatic or if you manually start one.
I can't imagine we're talking 2.5K users with more than 10TB, but if you can't do a full system wide backup too often because of disk or tape capacity storage reasons etc; and this is going to be a long migration timeline, you can do them individually:
zmbackup -f -s server.domain.com -a email@example.com
(server being the mailstore they happen to be on)