RE: 'must change password at next logon' gets enabled after ADMT migration for each user
- From: v-kzhao@xxxxxxxxxxxxxxxxxxxx (Ken Zhao [MSFT])
- Date: Fri, 03 Feb 2006 05:28:44 GMT
Hello Spin,
Thank you for using newsgroup!
As far as I know, the setting of "User must change password at next logon"
is by design and we do not have a method to change it with ADMT. We can
change this post migration for all users with a script. The attribute that
has to get changed is pwdLastSet. You will need to set this to a negative
1. This link has an example for your reference:
<http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx>
New in Windows Server 2003 are security checks whenever various passwords
related API's are used. ADMT uses such API's to set the users password
during user migration. Windows Server 2003 provides a setting to allow an
administrator to prevent tampering of user passwords, and this causes the
behaviors you are observing when migrating users.
This setting is part of the following registry key:
Key: KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value name: SamRestrictOwfPasswordChange
Data type: REG_DWORD
By defining SamRestrictOwfPasswordChange to a value of '0' on all 2003
domain controllers, the LSASS process will allow the ADMT tool to set user
passwords without requiring a password change at next logon.
Enabling Migration of Passwords
<http://technet2.microsoft.com/WindowsServer/f?en/Library/75c15a86-f52d-46dd
-b894-a933ab2024621033.mspx>
Hope the information helps!
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Spin" <Spin@xxxxxxxx>
| Newsgroups:
microsoft.public.windows.server.active_directory,microsoft.public.windows.se
rver.migration
| Subject: 'must change password at next logon' gets enabled after ADMT
migration for each user
| Date: Thu, 2 Feb 2006 08:06:28 -0500
| Lines: 14
| Message-ID: <44eeccF1oudvU1@xxxxxxxxxxxxxx>
| X-Trace: individual.net 1TS27c7s/MLy0I+Y1ZNgbQl7QJKeQlFlXOv7h7FSNf+f6XfYym
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfe
ed01.sul.t-online.de!t-online.de!fu-berlin.de!uni-berlin.de!individual.net!n
ot-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.windows.server.migration:22270
microsoft.public.windows.server.active_directory:62448
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| Experts,
|
| I am doing a migration in AD to Windows 2003 from Windows 2000 using the
| ADMT. I am saving the passwords during the migration by way of a
password
| export service on the source DC, and everything works great. However,
the
| user is tagged with a "must change password at next logon" attribute in
the
| target domain. Is there a way to prevent this from getting enabled or a
| script I can run to run thorough my target AD and un-check that option
for
| each user?
|
| --
| Spin
|
|
|
.
- Prev by Date: RE: The target domain is not native mode - Query
- Next by Date: RE: Printmigrator 3.1
- Previous by thread: Retire temp AD DC
- Next by thread: RE: Printmigrator 3.1
- Index(es):
Relevant Pages
|
Loading
