The following error occurs when migrating accounts that have the "User cannot change password" flag enabled:
"Access is denied"
Refer to Resolution
The value of this checkbox, "User cannot change password", is stored inside userAccountControl as well as the User account's security descriptor as an explicate deny of "change password" for SELF. So the problem lies in how Microsoft natively works with the "User Must Change password" flag, as there is also a requirement for security permissions to be set during the same time.
Note: userAccountControl also houses user must change password, password never expires, etc.
WORKAROUND
Ensure the options to sync/migrate Security descriptors, as well as "User must change password" flag, are selected when migrating objects.
STATUS
This error message was removed in Migration Manager for AD 7.1.4. However, you still must choose to "Merge" or "Replace" security descriptors if you wish to copy the "User must change password" flag.
The latest version of Migration Manager for AD can be downloaded at:
http://support.quest.com/support_download/Downloads.asp.
© ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center