Hi Phil I believe the current Quest tool is the old Aelita tool. In the version before they were purchased by Quest passwords that were migrated completely ignored the password policy of the target domain, even allowing blank passwords to be migrated.
Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |---------+----------------------------------> | | Phil Renouf | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 03/23/2005 09:51 AM EST| | | Please respond to | | | ActiveDir | |---------+----------------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] Enabling Password must meet complexity requiremen ts | >------------------------------------------------------------------------------------------------------------------------------| On Wed, 23 Mar 2005 14:49:51 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > When password complexity is enabled: > * If you migrate a user from a source domain to the domain with password > complexity (length, complex, etc.) enabled the password does not need to > meet the password policy in the DDP GPO (when using ADMT, and also some > other third party products do this, the password hash is copied so that the > target DC cannot verify it the actual password meets the password policy.). > After the user has been migrated and if the option (which by default is > checked is you use ADMT) that the user must specify a new password at next > logon, that new password must meet the complexity requirements in de > password policy in the DDP GPO I don't know about ADMT and I'm still getting stuff running on my new laptop so I can't test it right now, but with NetIQ (and Quest too I believe, but it's been a while since I used it) the target domains password policy has to be equal to or more simple than the source domains password policy. If the targets policy is more complex the password copy will fail and a random complex password will be generated (depending on the options you chose when setting up the migration project). I would be surprised if ADMT was able to get around this, I would expect that when ADMT tried to enable the user it would get an error that the password didn't meet complexity. Phil List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/