When I perform a user migration I do not want the user must change password at next logon selected (NETIQKB9393)

  • 7709393
  • 02-Feb-2007
  • 08-Aug-2007

Resolution

goal
When I perform a user migration I do not want the "user must change password at next logon" selected

fact
Domain Migration Administrator 7.1

fix
Passwords and Related Properties

When Domain Migration Administrator migrates user accounts, the product sets the User must change password at next logon property for each migrated user account. If the 'Password never expires' property is set for a user account, Domain Migration Administrator clears this property for that user account. However, if Domain Migration Administrator is set to copy passwords from source accounts, the password flags of the source accounts are preserved.

Domain Migration Administrator sets the passwords for the migrated accounts using one of the following options:

  • Complex passwords
  • Same as user name (SAM name)
  • Copy password from source user

If you use the SAM account name option, set the password policy on the target domain to allow SAM account names to meet the policy. Verify the minimum password length and password complexity policy settings in the target domain. If the new passwords do not meet the policy of the target domain, Domain Migration Administrator generates complex passwords.

If you do not copy the existing passwords or SAM account name passwords do not meet the policy of the target domain, Domain Migration Administrator generates passwords for the migrated user accounts. Domain Migration Administrator can generate complex passwords that meet the minimum password length requirement and contain at least 3 lowercase letters, 3 uppercase letters, 3 numerical digits, and 3 symbols. If the generated password does not comply with the password complexity rules in the target domain, Domain Migration Administrator disables the migrated user account.

Domain Migration Administrator can copy passwords from Windows NT domains that do not have SYSKEY encryption enabled. If the source domain has SYSKEY encryption enabled, you can specify the name of a BDC without SYSKEY encryption to allow Domain Migration Administrator to retrieve the passwords.  It can also copy passwords from Windows 2000 mixed‑mode domains if a Windows NT 4.0 BDC is available. However, if the password is blank in the source domain, the password in the target domain is set to a complex password and logged in the password log file. Blank passwords are not copied.

Domain Migration Administrator stores passwords for migrated accounts in a tab‑delimited file for administrators to reference. You can specify the location of this file during the migration process. If the password file is located on an NTFS volume, Domain Migration Administrator sets the file permissions to allow access only by administrators. Domain Migration Administrator does not set the 'User must change password at next logon' property for service accounts.

  • If the User cannot change password property is set for a user account, that migrated user account will be locked because the user will not be able to reset the password.
  • Domain Migration Administrator cannot copy the password for user accounts with the User cannot change password property set. If this property is set, Domain Migration Administrator generates a password for the migrated user account.
  • Domain Migration Administrator does not copy the password age property when it migrates user accounts


note
In DMA 6.3 there is a bug that prevents proper handling of this password flag. To resolve this issue, upgrade to DMA 7.0 or later.

note
Please note that this information can also be obtained from Appendix C of the DMA and SC User Guide.

Additional Information

Formerly known as NETIQKB9393