RE: Migration: undesired password setting; unmigrated group membership

Hi Rosivaldo,

Thank you for your post.

I understand that you want to disable the "User Must Change password at
next logon" option when using ADMT to migrate user account with password.
If I have misunderstood your concerns, please feel free to let me know.

Based on my research, this is a by design behavior. In Windows Server 2003,
if password is set using the hash, the "user must change password at next
logon" attribute is set automatically by the system. ADMT can not retrieve
the clear text password and use the hash of the password so user was forced
to change the password at next logon

A workaround is to use a VB script using ADSI to clear that attribute. The
preferred solution is to use a registry key to control this. Although VB
script is not supported in this newsgroup, I would like to list the info
for your reference:

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value name: SamRestrictOwfPasswordChange
Data type: REG_DWORD
Allowed values: 0, 1, 2
0 - old behavior, client can change password through OWF password change
API, and the new password remains unexpired.
1 - .NET Server default behavior, client can change password through OWF
password change API (SamrChangePasswordUser), but the password expires
immediately.
2 -more secure behavior, client can't use OWF password change API. This API
(SamrChangePasswordUser) will be totally disabled and return
STATUS_ACCESS_DENIED for all clients except for LocalSystem and members of
builtin administrators group.

Note:
All restrictions are NOT applied to SYSTEM or members of Builtin
Administrators Alias Group.
If the value of the registry is anything but 0, 1 and 2, the default value
of 1 will be picked.
This security setting is an independent control. It does not interactive
with the newly introduced extended control access right at all.
This security feature works in both DS and Registry cases.

If you want to know more on how to write a Script to do this, due to the
complexity of programming issues, we are unable to assist with this request
in the Partner Support newsgroups. Thank you for your understanding.

For further assistance on this issue, please contact Microsoft Product
Support Services or post your question on the Microsoft public newsgroups.
Below are these links:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
http://msdn.microsoft.com/newsgroups/default.asp.

For more reference:
How to configure the Active Directory Migration Tool to migrate user
passwords from a Windows NT 4.0 domain to a Windows Server 2003 domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;832221

If you have any concerns, please feel free to let me know.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:
BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/40010469
Others: https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page:
http://support.microsoft.com/default.aspx?scid=%2finternational.aspx.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • RE: RDP ove HTTPS Passwors for non domain WSs
    ... I found that we can't change password when we use ... Check the checkbox "User must change password at next logon" on the ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Forms authentication - change password
    ... Microsoft Global Technical Support Center ... please "Reply to Group" via your newsreader so ... Forms authentication - change password ...
    (microsoft.public.isa)
  • RE: Cant log in user having "must change password" flag set (Forms Au
    ... those useraccount which has been marked with "User must change password on ... you can not get it to login through the membership ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: changing passwords
    ... IIS does support this -- but for security reasons it is not configured out ... Using the Change Password feature with Outlook Web Access ...
    (microsoft.public.inetserver.iis.security)
  • Re: ISA 2006 - change password FBA not working
    ... The change password feature within ISA 2006 FBA is only supported using ... Secure LDAP. ... i published a Sharepoint Portal Server Website with the Wizard in ISA 2006. ... technical support for your organization. ...
    (microsoft.public.isa.publishing)
Loading