Previous Thread:   The target domain is not native mode - Query

2/2/2006 6:09:00 AM    Re: 'must change password at next logon' gets enabled after ADMT migration for each user
You could use dsmod in conjunction with dsquery. They're available in  
  
XP and 2k3.  
  
Please try (first in a lab!):  
  
dsquery user <OU_DistinguishedName> -limit 0 | dsmod user -mustchpwd no  
  
Luck  
  
Emilio

 

2/2/2006 8:06:28 AM    'must change password at next logon' gets enabled after ADMT migration for each user
Experts,  
  
I am doing a migration in AD to Windows 2003 from Windows 2000 using the  
  
ADMT.  I am saving the passwords during the migration by way of a password  
  
export service on the source DC, and everything works great.  However, the  
  
user is tagged with a "must change password at next logon" attribute in the  
  
target domain.  Is there a way to prevent this from getting enabled or a  
  
script I can run to run thorough my target AD and un-check that option for  
  
each user?  
  
--  
  
Spin

2/2/2006 2:15:45 PM    Re: 'must change password at next logon' gets enabled after ADMT migration for each user
Hmmm...sounds like ADMT is flagging the userAccountControl attribute because  
  
the account doesn't have a complex password (unlikely) or is older than the  
  
expirery settings in the new domain (possibly more likely).  I don't know if  
  
this is the case or not (just guessing) - we'll have to check the ADMT doc  
  
to see if it does anything like that.  
  
You can write a script that will go off and mod userAccountControl or you  
  
could use DS* or AD* tools.  Have a quick google for userAccountControl and  
  
reset password for some example code.  There should be some at Microsoft and  
  
I'm pretty sure there's an example at www.rallenhome.com  
  
--  
  
Paul Williams  
  
Microsoft MVP - Windows Server - Directory Services  
  
http://www.msresource.net | http://forums.msresource.net

2/3/2006 5:28:44 AM    RE: 'must change password at next logon' gets enabled after ADMT migration for each user
Hello Spin,  
  
Thank you for using newsgroup!  
  
As far as I know, the setting of "User must change password at next logon"  
  
is by design and we do not have a method to change it with ADMT. We can  
  
change this post migration for all users with a script. The attribute that  
  
has to get changed is pwdLastSet. You will need to set this to a negative  
  
1. This link has an example for your reference:  
  
<http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx>  
  
New in Windows Server 2003 are security checks whenever various passwords  
  
related API's are used. ADMT uses such API's to set the users password  
  
during user migration. Windows Server 2003 provides a setting to allow an  
  
administrator to prevent tampering of user passwords, and this causes the  
  
behaviors you are observing when migrating users.  
  
This setting is part of the following registry key:  
  
Key: KEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa  
  
Value name: SamRestrictOwfPasswordChange  
  
Data type: REG_DWORD  
  
By defining SamRestrictOwfPasswordChange to a value of '0' on all 2003  
  
domain controllers, the LSASS process will allow the ADMT tool to set user  
  
passwords without requiring a password change at next logon.  
  
Enabling Migration of Passwords  
  
<http://technet2.microsoft.com/WindowsServer/f?en/Library/75c15a86-f52d-46dd  
  
-b894-a933ab2024621033.mspx>  
  
Hope the information helps!  
  
Ken Zhao  
  
Microsoft Online Partner Support  
  
Get Secure! - www.microsoft.com/security  
  
=====================================================  
  
When responding to posts, please "Reply to Group" via your newsreader so  
  
that others may learn and benefit from your issue.  
  
=====================================================  
  
This posting is provided "AS IS" with no warranties, and confers no rights.  
  
--------------------  
  
microsoft.public.windows.server.active_directory,microsoft.public.windows.se  
  
rver.migration  
  
migration for each user  
  
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!newsfe  
  
ed01.sul.t-online.de!t-online.de!fu-berlin.de!uni-berlin.de!individual.net!n  
  
ot-for-mail  
  
microsoft.public.windows.server.migration:22270  
  
microsoft.public.windows.server.active_directory:62448  
  
password  
  
the  
  
the  
  
for

2/3/2006 10:40:15 PM    Re: 'must change password at next logon' gets enabled after ADMT migration for each user
this is default behavior of ADMT for user accounts  
  
this does not apply to service accounts if they are identified before  
  
migrating them  
  
--  
  
Cheers,  
  
(HOPEFULLY THIS INFORMATION HELPS YOU!)  
  
MVP Windows Server - Directory Services  
  
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx  
  
-----------------------------------------------------------------------------  
  
* This posting is provided "AS IS" with no warranties and confers no rights!  
  
* Always test before implementing!  
  
-----------------------------------------------------------------------------  
  
-----------------------------------------------------------------------------  
  
"Paul Williams [MVP]" <ptw2001@hotmail.com> wrote in message  
  
news:eAlblMAKGHA.3728@tk2msftngp13.phx.gbl...