-
Title
Setting Random or Specific passwords during migrations -
Description
Password Switch, source object: AAC49B1C00A49A4A8312345421347, source user: TestUser, target object 2A34BBA8213ABD489A5C12345678, target user: testUser, mode: DIRECT
01/25/21 14:47:18 (GMT+01:00) Common AcAdSwitches Error 0xe1000050. Cannot set password, user: "TestUser"
Error 0x80070005. Access is denied.
-
Cause
When creating password in the target, ie. Random, or specific during a Migration Session, the AEPAGENT is not used.
The passwords are being set by DSA itself. Tt calls a Windows API locally which in turn works remotely with a target DC using the “NetUserSetInfo” function. A connection to the target DC is established under the account that is specified in the Domain Pair properties, Target Domain. Only users or applications with administrative privileges can call the NetUserSetInfo function to change a user's password. When an administrator calls NetUserSetInfo, the only restriction applied is that the new password are those of the Domain Password restrictions in the Target environment. The pre-installed agent is not being used for this at all in this instance.
Because the AEPAGENT is not being used in this situation, Minimal Permissions will not function.
-
Resolution
The service account must belong to the Builtin Administrators, or the Domain Administrators group in the target domain in order to set the passwords.