Intraforest migration and password synch

R

redbandana

OK, the ADMT password migration doco states:

Verify that the passwords of the source domain user accounts match the
password policy of the target domain.

ADMT cannot verify password policies in the target domain. If the
source user accounts have passwords that violate the password restrictions
(such as minimum length) in the target, then the affected migrated accounts
can log on, but they will be forced to change their password the next time
they log on.

If you have a Group Policy setting on the target domain that does not
allow blank passwords (the Default Domain Policy/Computer
Configuration/Security Settings/Account Policies/Password Policy/Minimum
password length setting is set to any number other than zero), then password
migration will fail for any user who has a blank password. The user will be
forced to change their password the next time they log on.



However, my tests with a stronger domain Account password policy for
INTRAFOREST do not work out that way. All user passwords are synched at
the migration into the target domain. However, when they change passwords,
they must meet the criteria of the target domain's account password policy.

Any feedback from others on this topic?
Thanks, red
 
M

Marin Marinov

<snip>
Hi Red,
The only issue you can have with password policies is migrating users
with blank passwords since in this case the target DC can "see" that the
password is blank. In all other cases it just receives a hash of the
password which is 128-bit no matter what the actual length and contents
of the password is. Password restrictions are enforced by the OS when
you change your password via the "Change password" button or reset it
in ADUC since then you still have the password in clear text and the
password filter can be applied before the password is hashed. After it
is stored in AD, however, you can't apply any logic to its contents.

So your tests are correct - a user's password is *always* retained
unless blank and ADMT sets all migrated account to force password change
on next logon ;)

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

"True knowledge exists in knowing that you know nothing."
Socrates
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Password Export error ADMT 3 1
How to check bad password login in Windows 2003 domain controller? 1
ADMTv2 -- Password Migration problem 1
ADMT password migration 1
Password on 2003 server AD. 1
Migration using ADMT 5
Domain Password Policy 1
AD and Password policy question 12

Top