DMA copies passwords even though they don't meet the password policy of the target. (NETIQKB12424)

fact
Domain Migration Administrator 6.x

fact
Domain Migration Administrator 7.x

symptom
DMA copies passwords even though they don't meet the password policy of the target.

cause
Some password policies do not affect the migration of passwords, even though the log says Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.'

fix

Here is what you can expect when copying passwords regarding the password policy settings of the target domain:

• Password History - The password history is not copied over. However, if a password was previously set on the target account and the password that is being copied matches that password, then an error will be generated.
• Maximum Password Age - The age of the source password is not copied over. Then target account password age starts when when password is first set/copied for new AD account.
• Min. Password Age - The age of the source password is not copied over. if a password was previously set on the password age time span had not passed, then an error will be generated.
• Min. Password Length - The DMA password copy process does not translate the source password to clear text and therefore cannot determine the actual password length.
• Complexity - The DMA password copy process does not translate the source password to clear text and therefore cannot determine if the complexity requirements are met.
• Reversible encryption - does not apply as the OS will encrypt it if this set, correct?

The only policy options that would stop DMA from writing the password would be Minimum Password Age if it were less than the amount of time since the first migration of the password, or Password History if you try to migrate an account twice wth the same password.

Formerly known as NETIQKB12424