Problem with passwords migration (ADMT)

Anonymous
2021-06-07T10:32:50.503+00:00

HI,
I have 2 AD domains in one forest. In every domain I have a the same password policy set with minimum password lenght 10 and password complexity.
I have to synchronize password between one and second AD domain.
I try to synchronize password by ADMT password command script.
Logged user can change the password with fulfilled requirements. But when I try to migrate password I received error: 

WRN:7557 Failed to copy the password for user. A strong password has been generated instead.  Unable to copy password. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

I user change the password to very hard, the copy of password bas status Successful.

Do the ADMT tool use another set of password complexity ?
Best regards

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,935 questions

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-06-08T01:55:32.237+00:00

    Hello anonymous user,

    Thank you for posting here.

    Based on my knowledge, if you want to migrate user password, you need to install Password Export Server onto a domain controller in the source domain.

    For more information about installing Password Export Server, please refer to links below.

    How to Migrate Users Across Forest (Cross Forest) Using ADMT 3.2 with SID and Passwords
    https://social.technet.microsoft.com/wiki/contents/articles/13904.how-to-migrate-users-across-forest-cross-forest-using-admt-3-2-with-sid-and-passwords.aspx

    ADMT Series – 4. Password Export Server
    https://blog.thesysadmins.co.uk/admt-series-4-password-export-server.html

    After that, when you migrate user, check the option "migrate password" as in the link below.

    ADMT Series – 8. User Account Migration Wizard
    https://blog.thesysadmins.co.uk/admt-series-user-account-migration-wizard.html

    Meanwhile, based on "I try to synchronize password by ADMT password command script.", what is the ADMT password command script and how did you synchronize password by ADMT password command script?

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Anonymous
    2021-06-08T07:17:09.26+00:00

    Thank you for your answer. I have installed the Password Export Server and user and password migration works. But I have to automate the password migration (synchronization) between domains. Users have the same account in one and second domain. When user change then password in domain1, the password should be migrate to domain2. In both domains are used the PasswordPolicy with requirements: - min. 10 characters - password complexity. - According documentation and my tests the password complexity must meet 3 of these requirements:

    English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

    If user change the password with meet 3 of these requirements and I try to migrate this password I received this error: WRN:7557 Failed to copy the password for user. A strong password has been generated instead. Unable to copy password. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

    If user change the password with meet 4 of these requirements, migration of password works. It looks like ADMT use another requirements of the password complexity.

    Best regards

    0 comments
  3. Daisy Zhou 18,721 Reputation points Microsoft Vendor
    2021-06-09T09:13:34.507+00:00

    Hello anonymous user,

    I am so glad to receive your reply.

    Would you please create a test user in target domain and then set his/her password with meet 3 of these requirements, check if you can create this user and set his/her password successfully.

    If not, did you set Password Filter in target domain?

    For more information about Password Filter, please refer to links below.

    https://learn.microsoft.com/en-us/windows/win32/secmgmt/password-filters

    https://learn.microsoft.com/en-us/windows/win32/secmgmt/using-password-filters

    https://learn.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Anonymous
    2021-06-11T06:47:13.187+00:00

    Hello,
    I created the test user with password with meet 3 of these requirements and I didin't receive any error.
    I checked the Password Filted and I found value of Notification Packages = rassfm scecli in this system registry key

    HKEY_LOCAL_MACHINE
    SYSTEM
    CurrentControlSet
    Control
    Lsa

    I checked the local Account Policies and option "Passwords must meet complexity requirements" is disabled.

    I will mark that the above error occurs only with users which belogs to group with PasswordPolicy set.

    Best regards

  5. Anonymous
    2021-06-11T10:45:53.57+00:00

    Hello,
    Problem wasn't resolve.
    I still don't know what the difference between password setting by user and password migration by ADMT come from.

    Best regards

    0 comments