What is the password copy, sync process, and password setting behavior in Migration Manager?
Please refer to the release notes for the specific version to see if this behavior was modified.
The current release notes as of version 8.15 are available at Preparing Migration 8.15 - Release Notes (quest.com)
A high level flow of the password Migration and sync within Migration Manager follows:
1. Compare source and target "pwdLastSet" attribute and migrate password only if source value is newer
2. Get current password from target
3. Reset target "pwdLastSet" to 0 (set up "User must change password at next logon") as this is required to workaround the "Minimum password age" policy
4. Get password from source
5. Set target password
6. Copy and set value of "pwdLastSet" from source
Example scenarios of common password migrations and results:
1. Source password of a "simple password" that does not comply to target Domain password policy:
Result - Password is copied / synced. Password complexity policy is ignored. Migration and synchronization behavior is the same.
2. Source password is "complex" that meets target Domain password policy:
Result - Password is copied / synced. Password complexity policy is ignored. Migration and synchronization behavior is the same.
3. Multiple migrations of passwords (simulate that passwords have changed between syncs):
Result - Password is copied / synced. Password complexity policy is ignored.
4. Source password is NULL (IE - Source User Account does not have a password):
Result - Password is NOT copied / synced. Minimum password length policy will prevent migration. User account will be created in disabled state.
Error received is:
"Error 0xe100004f. Cannot synchronize passwords, source user: "QMMtestAcc", target user: "targetUserName" Error 0x8007052d.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain"
5. Source user has PwdLastSet=0 which is equivalent to "User must change password at next login" setting.
Result - if target object pwdlastset is >0, password is NOT copied / synced. The reason for this is because if it would be synced, and the user changes the target password, the value would be reset by subsequent syncs, thus causing problems.
6. If both source and target pwdlastset=0, password is copied
Note: It is possible to turn off this comparison of "pwdLastSet" attribute using Windows Registry. To do this, you need to run Registry Editor on the server where DSA agent is installed, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeActivation_[COMPUTER_NAME]\Config\PwdSwitch, create the CheckConflicts string value, and set it to 0. This method is only possible if you are not skipping attributes for Directory Synchronization or Migration Session.
Windows Registry Disclaimer:
Quest does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 ââ‚Description of the Microsoft Windows registryyyââ‚: http://support.microsoft.com/default.aspx?kbid=256986
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center