Hi Phil
I believe the current Quest tool is the old Aelita tool. In the version
before they were purchased by Quest passwords that were migrated completely
ignored the password policy of the target domain, even allowing blank
passwords to be migrated.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
|---------+---------------------------------->
| | Phil Renouf |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | tivedir.org |
| | |
| | |
| | 03/23/2005 09:51 AM EST|
| | Please respond to |
| | ActiveDir |
|---------+---------------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: ActiveDir@mail.activedir.org
|
| cc: (bcc: James Day/Contractor/NPS)
|
| Subject: Re: [ActiveDir] Enabling Password must meet complexity
requiremen ts |
>------------------------------------------------------------------------------------------------------------------------------|
On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> When password complexity is enabled:
> * If you migrate a user from a source domain to the domain with password
> complexity (length, complex, etc.) enabled the password does not need to
> meet the password policy in the DDP GPO (when using ADMT, and also some
> other third party products do this, the password hash is copied so that
the
> target DC cannot verify it the actual password meets the password
policy.).
> After the user has been migrated and if the option (which by default is
> checked is you use ADMT) that the user must specify a new password at
next
> logon, that new password must meet the complexity requirements in de
> password policy in the DDP GPO
I don't know about ADMT and I'm still getting stuff running on my new
laptop so I can't test it right now, but with NetIQ (and Quest too I
believe, but it's been a while since I used it) the target domains
password policy has to be equal to or more simple than the source
domains password policy. If the targets policy is more complex the
password copy will fail and a random complex password will be
generated (depending on the options you chose when setting up the
migration project).
I would be surprised if ADMT was able to get around this, I would
expect that when ADMT tried to enable the user it would get an error
that the password didn't meet complexity.
Phil
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
