'must change password at next logon' gets enabled after ADMT migration for each user

Experts,

I am doing a migration in AD to Windows 2003 from Windows 2000 using the
ADMT. I am saving the passwords during the migration by way of a password
export service on the source DC, and everything works great. However, the
user is tagged with a "must change password at next logon" attribute in the
target domain. Is there a way to prevent this from getting enabled or a
script I can run to run thorough my target AD and un-check that option for
each user?

 

Hmmm...sounds like ADMT is flagging the userAccountControl attribute because
the account doesn't have a complex password (unlikely) or is older than the
expirery settings in the new domain (possibly more likely). I don't know if
this is the case or not (just guessing) - we'll have to check the ADMT doc
to see if it does anything like that.

You can write a script that will go off and mod userAccountControl or you
could use DS* or AD* tools. Have a quick google for userAccountControl and
reset password for some example code. There should be some at Microsoft and
I'm pretty sure there's an example at www.rallenhome.com

 

Hello Spin,

Thank you for using newsgroup!

As far as I know, the setting of "User must change password at next logon"
is by design and we do not have a method to change it with ADMT. We can
change this post migration for all users with a script. The attribute that
has to get changed is pwdLastSet. You will need to set this to a negative
1. This link has an example for your reference:
<http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx>

New in Windows Server 2003 are security checks whenever various passwords
related API's are used. ADMT uses such API's to set the users password
during user migration. Windows Server 2003 provides a setting to allow an
administrator to prevent tampering of user passwords, and this causes the
behaviors you are observing when migrating users.

This setting is part of the following registry key:
Key: KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value name: SamRestrictOwfPasswordChange
Data type: REG_DWORD

By defining SamRestrictOwfPasswordChange to a value of '0' on all 2003
domain controllers, the LSASS process will allow the ADMT tool to set user
passwords without requiring a password change at next logon.

Enabling Migration of Passwords
<http://technet2.microsoft.com/WindowsServer/f?en/Library/75c15a86-f52d-46dd
-b894-a933ab2024621033.mspx>

Hope the information helps!

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "Spin" <>
| Newsgroups:
microsoft.public.windows.server.active_directory,microsoft.public.windows.se
rver.migration
| Subject: 'must change password at next logon' gets enabled after ADMT
migration for each user
| Date: Thu, 2 Feb 2006 08:06:28 -0500
| Lines: 14
| Message-ID: <>
| X-Trace: individual.net 1TS27c7s/MLy0I+Y1ZNgbQl7QJKeQlFlXOv7h7FSNf+f6XfYym
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfe
ed01.sul.t-online.de!t-online.de!fu-berlin.de!uni-berlin.de!individual.net!n
ot-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:22270
microsoft.public.windows.server.active_directory:62448
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Experts,
|
| I am doing a migration in AD to Windows 2003 from Windows 2000 using the
| ADMT. I am saving the passwords during the migration by way of a
password
| export service on the source DC, and everything works great. However,
the
| user is tagged with a "must change password at next logon" attribute in
the
| target domain. Is there a way to prevent this from getting enabled or a
| script I can run to run thorough my target AD and un-check that option
for
| each user?
|
| --
| Spin
|
|
|

 

this is default behavior of ADMT for user accounts

this does not apply to service accounts if they are identified before
migrating them

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx