Domain Migration Administrator 7.1
What are some of the causes of a password migration failure?
E20688: Failed to copy password from USER1 to USER1, hr=80070005. Access is denied.
You may see an error such as the one below in the migration.log or you may notice that user accounts have been migrated with strong passwords even though you did not choose this option.
E20680: Failed to copy password from dc00001 to dc00001, hr=80070005. Access is denied.
- Set password for dc00001.
The access denied message could be a result of differences in the password security policies between the two domains. Please review the information below and determine if any of these items could be causing the password migration failure.
When migrating account passwords, DMA cannot process the password of accounts that do not match the target domain's password policy. This includes minimum password length, age enforcement. Password history enforcement can be a problem if you are migrating the same password from the source to the target during a re-migration. The minimum password age should be set to 0 because DMA copies the user, sets a strong password, and then later in process, copies the password from the source. If a minimum password age is set, DMA may have a problem changing the strong password to the password copied from the source.
- DMA cannot migrate passwords from user accounts that have the "User cannot change password option" checked to match a specified target password.
- The password copy will also fail if the trust between the source domain and the domain where DMA is running is broken or if Syskey encryption is enabled on the source domain. This issue is sometimes resolved by re-establishing trusts between the source and target domains.
- DMA can migrate accounts and prompt users to change the password upon next logon.
Another possible cause is that the logged on account does not have the 'Manage Auditing and Security Log' User Right on the source DC. Please add this User Right and attempt the password migration again.