-
Title
Password Copy, Sync process, and Password setting behavior in Quest Migration Manager -
Description
What is the password copy, sync process, and password setting behavior in Migration Manager?
-
Cause
Please refer to the release notes for the specific version to see if this behavior was modified.
The current release notes as of version 8.15 are available at Preparing Migration 8.15 - Release Notes (quest.com)
-
Resolution
A high level flow of the password Migration and sync within Migration Manager follows:
1. Compare source and target "pwdLastSet" attribute and migrate password only if source value is newer
2. Get current password from target
3. Reset target "pwdLastSet" to 0 (set up "User must change password at next logon") as this is required to workaround the "Minimum password age" policy
4. Get password from source
5. Set target password
6. Copy and set value of "pwdLastSet" from source
Example scenarios of common password migrations and results:
1. Source password of a "simple password" that does not comply to target Domain password policy:
Result - Password is copied / synced. Password complexity policy is ignored. Migration and synchronization behavior is the same.
2. Source password is "complex" that meets target Domain password policy:
Result - Password is copied / synced. Password complexity policy is ignored. Migration and synchronization behavior is the same.
3. Multiple migrations of passwords (simulate that passwords have changed between syncs):
Result - Password is copied / synced. Password complexity policy is ignored.
4. Source password is NULL (IE - Source User Account does not have a password):
Result - Password is NOT copied / synced. Minimum password length policy will prevent migration. User account will be created in disabled state.
Error received is:
"Error 0xe100004f. Cannot synchronize passwords, source user: "QMMtestAcc", target user: "targetUserName" Error 0x8007052d.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain"
5. Source user has PwdLastSet=0 which is equivalent to "User must change password at next login" setting.
Result - if target object pwdlastset is >0, password is NOT copied / synced. The reason for this is because if it would be synced, and the user changes the target password, the value would be reset by subsequent syncs, thus causing problems.6. If both source and target pwdlastset=0, password is copied
Note: It is possible to turn off this comparison of "pwdLastSet" attribute using Windows Registry. To do this, you need to run Registry Editor on the server where DSA agent is installed, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeActivation_[COMPUTER_NAME]\Config\PwdSwitch, create the CheckConflicts string value, and set it to 0. This method is only possible if you are not skipping attributes for Directory Synchronization or Migration Session.
Windows Registry Disclaimer:
Quest does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 ââ‚Description of the Microsoft Windows registryyyââ‚: http://support.microsoft.com/default.aspx?kbid=256986 -
Additional Information
The value of the pwdLastSet attribute is the Windows NT FILETIME in nanoseconds and can be decoded using the built in Windows W32tm command to translate it to a readable form. For example, when pwdLastSet = 130892017747502472: C:\>w32tm /ntte 130892017747502472 151495 09:22:54.7502472 - 13/10/2015 10:22:54