I've got about 2500 users from about 40 UNIX mail servers to be migrated to a couple of beefy Dell Servers running RHEL5. It is not feasible to reset their passwords. We are scripting the moving process. For the migration, we've got boxes set aside that will do all of the crunching. The Zimbra servers just have to accept the incoming imap connections from imapsync.

On the UNIX boxes, we are manipulating the shadow file, so we can get in there and get the mail, no problem. The new Zimbra boxes are authenticating off of our AD. We have to do our migration in stages (just because of the sheer numbers here, I'm talking TB, not GB of mail between the new servers). After the first migration, the first box will be live with users while we import in more (I know, crazy, but we are under a gun here). We have to minimalize the impact to the users.

I can not manipulate the authentication once Box1 goes live, so we can't just turn off the AD authentication to can use local authentication. As we know, Zimbra will not allow for multiple authentication sources (local and AD, etc.)

Because we have a mixed environment, our users can, and usually have, separate passwords for the UNIX world and the Windows world, so shadowing their login's on the UNIX boxes won't necessarily work. (this will be coming to an end soon too)

Here's what I have discovered:
If I set an account to be an administrator, it can use both local and AD Auth, so I know it has kept the password that I set when I batch created the accounts using zmprov.

Here's what I want to know, can I:
Batch change accounts to be administrator accounts (dangerous, but needed) and then batch change them back. I haven't found this documented anywhere.
On the command line force Zimbra to look at either the local password store or AD Auth until our migration is over and then we will turn it back to AD only.

Our only other option is to sit at the admin web gui and hit clicky boxes on every account before and after the migration.

Please help me Obi Wan Kenobi, you are my only hope. (yeah, I know, we are probably screwed)

Thanks in advance!