Jordan I'm glad it worked out for you. Apologies for misleading you and Dave on this. I'm pretty confused right now because I thought I had understood the behaviour pretty well.
I'll see if you can get someone from inside MS to provide a decent description of how it actually works. Tony ---------- Original Message ---------------------------------- From: Jordan Arendt <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Fri, 17 Sep 2004 08:49:58 -0600 Tony, I'm using ADMT v2 into a 2k3 domain, so they may have changed it somewhat. Anyway, I got it working so it's all good. Would have been nice to see that mentioned somewhere in the docs I read though. On Fri, 17 Sep 2004 09:38:03 -0400, Tony Murray <[EMAIL PROTECTED]> wrote: > David > > Strange. My experience was also first hand. We migrated a large number of NT > domains (with various different password policies) to a single Windows 2000 AD > domain using ADMT 2.0. In many cases the source domain didn't conform to the > password requirements (length, complexity) of the target domain, but the passwords > were still exported successfully. > > Maybe the behaviour changes if the target domain is W2K3 AD? > > In any case, our discussion may be moot given the error that Jordan sees. The > "access is denied" in the error would appear to indicate some other issue. > > Tony > > > ---------- Original Message ---------------------------------- > From: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > Date: Fri, 17 Sep 2004 08:50:58 -0400 > > Tony, > > That situation was a first hand experience for me. Once I reset (loosened) > the password policy on 2K3, the export went. In my case, it was not > complexity that was stopping it, but minimum password length. > > Jordan, > > I just remembered another gotcha. If you reinstalled the pes dll on the NT4 > PDC or installed it after you did all the regedits, recheck the reg edits, > as the pes install resets some of the values. Again another "first hand > experience" > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray > Sent: September 17, 2004 7:48 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] ADMT v2 PES question > > Jordan > > You might want to first double-check David's statement below. My > understanding is that ADMT 2.0 doesn't enforce complexity in any way for > exported passwords. It doesn't actually export the password, only the hash. > In other words, it won't know whether the password complexity requirements > of the target domain are met by the password or not. The password > complexity is only enforced when the user next changes password. > > The only situation I know of where a new password is generated to meet the > complexity requirements is where there is no password associated with the > account in the source domain. > > Tony > ---------- Original Message ---------------------------------- > From: Jordan Arendt <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Thu, 16 Sep 2004 11:12:51 -0600 > > Thanks. I had "dumbed down" my default domain password policy as the NT 4 > domain only required a password length of 6 characters. I am new to the > site and didn't realize that complex passwords were not enforced, I just > assumed it (ya ya ass u me). So anyway, I removed complex passwords from > the domain security policy and will do so when we do the actual migration. > Then enforce it once everyone is migrated over. Sigh. > > Thanks again, > > Jordan > > On Wed, 15 Sep 2004 21:59:37 -0400, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > Check you default domain password policy. Likely your source domain > > has a weaker policy than the target (2K3) so it generates a random > > Password that meets the policy and places it in a file in the ADMT\logs > directory. > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt > > Sent: September 15, 2004 6:11 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] ADMT v2 PES question > > > > 1. Yes. Can ping both ways from each machine. Wins servers are > > entered correctly. > > > > 2. Yes the Pre-Windows 2000 Compatible Access group has the following > > members: > > Anonymous Logon > > Authenticated Users > > Everyone > > > > On Wed, 15 Sep 2004 23:18:41 +0200, Paul van Geldrop > > <[EMAIL PROTECTED]> > > wrote: > > > Jordan, > > > > > > 1) Did you verify that both DNS _and_ WINS resolution are > > > functioning properly ? You will need both of these to function > > > properly for the migration to work. > > > 2) Did you add both the Anonymous Logon group as the Everyone group > > > to the Pre-Windows 2000 Compatible Access group ? > > > > > > Regards, > > > > > > Paul. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Jordan Arendt" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, September 15, 2004 10:52 PM > > > Subject: [ActiveDir] ADMT v2 PES question > > > > > > > Hi all, > > > > > > > > So, I've got a 2k3 forest that I am migrating an NT 4 domain into. > > > > I've setup a Password Export Server on a DC in my test NT 4 domain. > > > > Set registry entries, established trusts, etc. When I go to > > > > migrate a user, I get: > > > > > > > > WRN1:7557 Failed to copy the password for {user.} A strong > > > > password has been generated instead. Unable to copy password. Access > is denied. > > > > > > > > I'm looking at > > > > http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;322981 > > > > > > > > and have verified everything except: > > > > > > > > Pre-Windows 2000 Compatible Access has Read and Enumerate Entire > > > > SAM Domain permissions on the object, as follows: > > > > CN=Server,CN=System,DC={TargetDomain},DC={tld} > > > > > > > > Can anyone translate this for me? I'm not sure what I am supposed > > > > to do here. > > > > > > > > Thanks, > > > > > > > > Jordan > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > ________________________________________________________________ > Sent via the WebMail system at mail.activedir.org > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > ________________________________________________________________ > Sent via the WebMail system at mail.activedir.org > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
