RE: ADMT - password questions

Jason,

Thanks for your help with this. I will have a look at the registry key and
test it out. It sounds like it should do what we are trying to achieve. One
question about it though: if we set the reg key to 0 so that the "user must
change password at next logon" is unticked after the migration, will the
password eventually expire as per our policy or will this reg key override
our policy so that passwords never expire?

Thanks,
Matt

"Jason Tan (MSFT)" wrote:

> Hi,
>
> Thank you for your post.
>
> Please note that the newsgroups provide assistance to resolve break/fix
> issues. It seems that there have two questions and the second one is a
> non-break/fix issue. We recommend Microsoft Advisory Services, a
> remotely-delivered, consultative support option that adds the element of
> proactive support, providing a comprehensive result beyond your break-fix
> product maintenance needs. More information on this service here:
> <http://support.microsoft.com/gp/advisoryservice>
>
> For more info in the US and Canada:
> http://support.microsoft.com/default.aspx?pr=AdvisoryService
>
> Outside of the US/Canada:
> http://support.microsoft.com/default.aspx?scid=%2finternational.aspx
>
> I understand that you want to disable the "User Must Change password at
> next logon" option when using ADMT to migrate user account with password.
> If I have misunderstood your concerns, please feel free to let me know.
>
> In Windows Server 2003, if password is set using the hash, the "ser must
> change password at next logon" attribute is set automatically by the
> system. ADMT can not retrieve the clear text password and use the hash of
> the password so user was forced to change the password at next logon
>
> You can write a VB script using ADSI to clear that attribute as a
> workaround. The preferred solution is to use a registry key to control
> this.
> Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
> Value name: SamRestrictOwfPasswordChange
> Data type: REG_DWORD
> Allowed values: 0, 1, 2
> 0 - old behavior, client can change password through OWF password change
> API, and the new password remains unexpired.
> 1 - .NET Server default behavior, client can change password through OWF
> password change API (SamrChangePasswordUser), but the password expires
> immediately.
> 2 - more secure behavior, client can''t use OWF password change API. This
> API (SamrChangePasswordUser) will be totally disabled and return
> STATUS_ACCESS_DENIED for all clients except for LocalSystem and members of
> builtin administrators group.
>
> Note:
> All restrictions are NOT applied to SYSTEM or members of Builtin
> Administrators Alias Group.
> If the value of the registry is anything but 0, 1 and 2, the default value
> of 1 will be picked.
> This security setting is an independent control. It does not interactive
> with the newly introduced extended control access right at all.
> This security feature works in both DS and Registry cases.
>
> If you want to know more on how to write a Script to do this, due to the
> complexity of programming issues, we are unable to assist with this request
> in this newsgroups. You may post to the MSDN newsgroups here:
> http://www.msdn.microsoft.com/newsgroups/ or you can contact Microsoft
> Advisory Service directly for further assistance. Thank you for your
> understanding.
>
> Thanks & Regards,
>
> Jason Tan
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>
>
>
>
>
.

Relevant Pages

  • RE: No password expiration message/Cant change password
    ... Default Domain Policy: Local policies-security options: All that shows ... Policy: Network Security: Force logoff when logon hours expire. ... At first I get a Must Change Password notice, Click Change Password, get ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Force PW change with notice
    ... Domain accounts and a very large number of mobile users. ... > 'Change password at next logon is no good' as it doesn't provide enough ... Hi Navigato, ... cant "logon using dial up networking") when the password expires they cannot ...
    (microsoft.public.security)
  • Re: Set "Password never expires" on users in a specific OU?
    ... You should not assign values directly to the userAccountControl attribute. ... user must change it the next time they logon on. ... ' Check if user must change password at next logon. ... I pieced this together from some other scripts I have.... ...
    (microsoft.public.scripting.vbscript)
  • RE: ADMT - password questions
    ... Please note that the newsgroups provide assistance to resolve break/fix ... I understand that you want to disable the "User Must Change password at ... - .NET Server default behavior, client can change password through OWF ... client can''t use OWF password change API. ...
    (microsoft.public.windows.server.migration)
  • Re: User must change password at next logon
    ... They get the expected prompt "Your password will expire...". ... that they log onto the workstation, they can use the new password with no ... > I have problem with changing passwords at next logon. ... > new desktop I check "User must change password at next logon". ...
    (microsoft.public.windows.server.active_directory)