'must change password at next logon' gets enabled after ADMT migration for each user

Discussion in 'Server Migration' started by Spin, Feb 2, 2006.

  1. Spin

    Spin Guest

    Experts,

    I am doing a migration in AD to Windows 2003 from Windows 2000 using the
    ADMT. I am saving the passwords during the migration by way of a password
    export service on the source DC, and everything works great. However, the
    user is tagged with a "must change password at next logon" attribute in the
    target domain. Is there a way to prevent this from getting enabled or a
    script I can run to run thorough my target AD and un-check that option for
    each user?
     
    Spin, Feb 2, 2006
    #1
    1. Advertisements

  2. Hmmm...sounds like ADMT is flagging the userAccountControl attribute because
    the account doesn't have a complex password (unlikely) or is older than the
    expirery settings in the new domain (possibly more likely). I don't know if
    this is the case or not (just guessing) - we'll have to check the ADMT doc
    to see if it does anything like that.

    You can write a script that will go off and mod userAccountControl or you
    could use DS* or AD* tools. Have a quick google for userAccountControl and
    reset password for some example code. There should be some at Microsoft and
    I'm pretty sure there's an example at www.rallenhome.com
     
    Paul Williams [MVP], Feb 2, 2006
    #2
    1. Advertisements

  3. Hello Spin,

    Thank you for using newsgroup!

    As far as I know, the setting of "User must change password at next logon"
    is by design and we do not have a method to change it with ADMT. We can
    change this post migration for all users with a script. The attribute that
    has to get changed is pwdLastSet. You will need to set this to a negative
    1. This link has an example for your reference:
    <http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx>

    New in Windows Server 2003 are security checks whenever various passwords
    related API's are used. ADMT uses such API's to set the users password
    during user migration. Windows Server 2003 provides a setting to allow an
    administrator to prevent tampering of user passwords, and this causes the
    behaviors you are observing when migrating users.

    This setting is part of the following registry key:
    Key: KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
    Value name: SamRestrictOwfPasswordChange
    Data type: REG_DWORD

    By defining SamRestrictOwfPasswordChange to a value of '0' on all 2003
    domain controllers, the LSASS process will allow the ADMT tool to set user
    passwords without requiring a password change at next logon.

    Enabling Migration of Passwords
    <http://technet2.microsoft.com/WindowsServer/f?en/Library/75c15a86-f52d-46dd
    -b894-a933ab2024621033.mspx>

    Hope the information helps!

    Ken Zhao

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.





    --------------------
    | From: "Spin" <>
    | Newsgroups:
    microsoft.public.windows.server.active_directory,microsoft.public.windows.se
    rver.migration
    | Subject: 'must change password at next logon' gets enabled after ADMT
    migration for each user
    | Date: Thu, 2 Feb 2006 08:06:28 -0500
    | Lines: 14
    | Message-ID: <>
    | X-Trace: individual.net 1TS27c7s/MLy0I+Y1ZNgbQl7QJKeQlFlXOv7h7FSNf+f6XfYym
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | X-RFC2646: Format=Flowed; Original
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfe
    ed01.sul.t-online.de!t-online.de!fu-berlin.de!uni-berlin.de!individual.net!n
    ot-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.windows.server.migration:22270
    microsoft.public.windows.server.active_directory:62448
    | X-Tomcat-NG: microsoft.public.windows.server.migration
    |
    | Experts,
    |
    | I am doing a migration in AD to Windows 2003 from Windows 2000 using the
    | ADMT. I am saving the passwords during the migration by way of a
    password
    | export service on the source DC, and everything works great. However,
    the
    | user is tagged with a "must change password at next logon" attribute in
    the
    | target domain. Is there a way to prevent this from getting enabled or a
    | script I can run to run thorough my target AD and un-check that option
    for
    | each user?
    |
    | --
    | Spin
    |
    |
    |
     
    Ken Zhao [MSFT], Feb 3, 2006
    #3
  4. this is default behavior of ADMT for user accounts

    this does not apply to service accounts if they are identified before
    migrating them

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    # Jorge de Almeida Pinto #
    MVP Windows Server - Directory Services
    BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
     
    Jorge de Almeida Pinto [MVP], Feb 3, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.