During the resource updating process, does Quest Migration Manager (QMM) for Active Directory migrate certificates so that target users can use them?
During the resource processing of workstations within Quest Migration Manager, certificates are not modified. Therefore, the target user accounts will not be able to use these certificates. They can be manually exported by the source account and imported by the target account as a workaround.
These certificates are kept in Windows Protected Storage and anything that is stored there (such as information for Auto complete option in IE, Outlook Express passwords, pop3 passwords, etc.) is encrypted and can only be accessed by the Original User. This information is not available when new target users start using the old profiles because it is encrypted with the original objects SID stored under HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider.
Refer to Microsoft's Article - Windows 2000 Services for more information on Protected Storage:
Protected Storage- provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services processes or users. (Protected Storage) P-Store is a set of software libraries that allows applications to fetch and retrieve security and other information from a personal storage location, hiding the implementation and details of the storage itself. The storage location provided by this service is secure and protected from modification. P-Store uses the Hash-Based Message Authentication Code (HMAC) and the SHA1 cryptographic hash function to encrypt the users master key. This component requires no configuration. Disabling it will make information protected with this service (for example, private keys) inaccessible to you. P-Store is an earlier service that has been supplanted by the Data Protection API (DPAPI), which is currently the preferred service for protected storage. Unlike DPAPI, the interface to P-Store is not publicly exposed.
Please also see the following additional articles:
Why arent my passwords for dialup access available after a resource updating?
https://support.quest.com/SUPPORT/index?page=solution&id=SOL18932
Internet Explorer Auto Complete History is lost after a User Switch (migration)
https://support.quest.com/SUPPORT/index?page=solution&id=SOL14497
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center