-
Title
When merging accounts with the migration session using any of the "Set password ..." options the target accounts password is the same after the session completes successfully. -
Description
When merging source and target accounts with any of the Set password options (Set password to, Set random password, Set password to username with) the target accounts password is the same after the session completes successfully.
-
Cause
This behavior is by design and is determined by the password migration module logic in DSA (Directory Synchronization Agent). Please refer to the resolution section below for detailed explanation.
-
Resolution
After the migration, if any source account attribute is changed, new user passwords may be overwritten with old source passwords. The passwords are also overwritten every time full resynchronization is performed. Now password modification times are compared for source and target accounts, and use the password with the latest modification time is not overwritten.
Both synchronization and migration modules are relying on DSA (Directory Synchronization Agent) logic of comparing source and target pwdLastSet attribute and setting password only if source value is newer. It applies to all migration setting including Set password to, Set random password, Set password to username with.
NOTE: It is possible to turn off this comparison of pwdLastSet attribute using Windows Registry. To do this, you need to run Registry Editor on the server where DSA agent is installed, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeActivation_[COMPUTER_NAME]\Config\PwdSwitch, create the CheckConflicts string value, and set it to 0.It is occasionally required, therefore suggested, to restart the machine where the Directory Synchronization Agent is installed.
****WARNING: Using Registry Editor incorrectly can cause serious problems that can damage the operating system and the software installed. Quest cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.***
Please also refer to article SOL13871 - Password Copy, Sync process, and Password setting behavior in Quest Migration Manager
https://support.quest.com/migration-manager-for-ad/kb/13871