Discussion:
'must change password at next logon' gets enabled after ADMT migration for each user
(too old to reply)
Spin
2006-02-02 13:06:28 UTC
Permalink
Experts,

I am doing a migration in AD to Windows 2003 from Windows 2000 using the
ADMT. I am saving the passwords during the migration by way of a password
export service on the source DC, and everything works great. However, the
user is tagged with a "must change password at next logon" attribute in the
target domain. Is there a way to prevent this from getting enabled or a
script I can run to run thorough my target AD and un-check that option for
each user?
--
Spin
Emilio Raggi
2006-02-02 14:09:00 UTC
Permalink
You could use dsmod in conjunction with dsquery. They're available in
XP and 2k3.

Please try (first in a lab!):

dsquery user <OU_DistinguishedName> -limit 0 | dsmod user -mustchpwd no


Luck

Emilio
Paul Williams [MVP]
2006-02-02 14:15:45 UTC
Permalink
Hmmm...sounds like ADMT is flagging the userAccountControl attribute because
the account doesn't have a complex password (unlikely) or is older than the
expirery settings in the new domain (possibly more likely). I don't know if
this is the case or not (just guessing) - we'll have to check the ADMT doc
to see if it does anything like that.

You can write a script that will go off and mod userAccountControl or you
could use DS* or AD* tools. Have a quick google for userAccountControl and
reset password for some example code. There should be some at Microsoft and
I'm pretty sure there's an example at www.rallenhome.com
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Jorge de Almeida Pinto [MVP]
2006-02-03 21:40:15 UTC
Permalink
this is default behavior of ADMT for user accounts

this does not apply to service accounts if they are identified before
migrating them
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
Post by Paul Williams [MVP]
Hmmm...sounds like ADMT is flagging the userAccountControl attribute because
the account doesn't have a complex password (unlikely) or is older than the
expirery settings in the new domain (possibly more likely). I don't know if
this is the case or not (just guessing) - we'll have to check the ADMT doc
to see if it does anything like that.
You can write a script that will go off and mod userAccountControl or you
could use DS* or AD* tools. Have a quick google for userAccountControl and
reset password for some example code. There should be some at Microsoft and
I'm pretty sure there's an example at www.rallenhome.com
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Loading...