Tony, That situation was a first hand experience for me. Once I reset (loosened) the password policy on 2K3, the export went. In my case, it was not complexity that was stopping it, but minimum password length.
Jordan, I just remembered another gotcha. If you reinstalled the pes dll on the NT4 PDC or installed it after you did all the regedits, recheck the reg edits, as the pes install resets some of the values. Again another "first hand experience" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: September 17, 2004 7:48 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] ADMT v2 PES question Jordan You might want to first double-check David's statement below. My understanding is that ADMT 2.0 doesn't enforce complexity in any way for exported passwords. It doesn't actually export the password, only the hash. In other words, it won't know whether the password complexity requirements of the target domain are met by the password or not. The password complexity is only enforced when the user next changes password. The only situation I know of where a new password is generated to meet the complexity requirements is where there is no password associated with the account in the source domain. Tony ---------- Original Message ---------------------------------- From: Jordan Arendt <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Thu, 16 Sep 2004 11:12:51 -0600 Thanks. I had "dumbed down" my default domain password policy as the NT 4 domain only required a password length of 6 characters. I am new to the site and didn't realize that complex passwords were not enforced, I just assumed it (ya ya ass u me). So anyway, I removed complex passwords from the domain security policy and will do so when we do the actual migration. Then enforce it once everyone is migrated over. Sigh. Thanks again, Jordan On Wed, 15 Sep 2004 21:59:37 -0400, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Check you default domain password policy. Likely your source domain > has a weaker policy than the target (2K3) so it generates a random > Password that meets the policy and places it in a file in the ADMT\logs directory. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt > Sent: September 15, 2004 6:11 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] ADMT v2 PES question > > 1. Yes. Can ping both ways from each machine. Wins servers are > entered correctly. > > 2. Yes the Pre-Windows 2000 Compatible Access group has the following > members: > Anonymous Logon > Authenticated Users > Everyone > > On Wed, 15 Sep 2004 23:18:41 +0200, Paul van Geldrop > <[EMAIL PROTECTED]> > wrote: > > Jordan, > > > > 1) Did you verify that both DNS _and_ WINS resolution are > > functioning properly ? You will need both of these to function > > properly for the migration to work. > > 2) Did you add both the Anonymous Logon group as the Everyone group > > to the Pre-Windows 2000 Compatible Access group ? > > > > Regards, > > > > Paul. > > > > > > > > ----- Original Message ----- > > From: "Jordan Arendt" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, September 15, 2004 10:52 PM > > Subject: [ActiveDir] ADMT v2 PES question > > > > > Hi all, > > > > > > So, I've got a 2k3 forest that I am migrating an NT 4 domain into. > > > I've setup a Password Export Server on a DC in my test NT 4 domain. > > > Set registry entries, established trusts, etc. When I go to > > > migrate a user, I get: > > > > > > WRN1:7557 Failed to copy the password for {user.} A strong > > > password has been generated instead. Unable to copy password. Access is denied. > > > > > > I'm looking at > > > http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;322981 > > > > > > and have verified everything except: > > > > > > Pre-Windows 2000 Compatible Access has Read and Enumerate Entire > > > SAM Domain permissions on the object, as follows: > > > CN=Server,CN=System,DC={TargetDomain},DC={tld} > > > > > > Can anyone translate this for me? I'm not sure what I am supposed > > > to do here. > > > > > > Thanks, > > > > > > Jordan > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
