ADMT 3.1 PES installation fails with error: The supplied password does not match this encryption key's password
This article helps resolves an issue where an "The supplied password does not match this encryption key's password" error occurs when you configure the Password Export Server (PES) service on Active Directory Migration Tool version 3.1.
Applies to: Windows Server 2012 R2
Original KB number: 2004090
Configuring the Password Export Server (PES) service on Active Directory Migration Tool version 3.1 on the source domain PDC Emulator role holder using the
ADMT KEY command shown below fails with the following on-screen error:
ADMT KEY /OPTION:CREATE /SOURCEDOMAIN:<ADMT source domain> /KEYFILE:x:\<path>\<filename>.pes /PWD:*
Dialog Title text: Invalid Password!
Dialog message text:
The supplied password does not match this encryption key's password. ADMT's Password Migration Filter DLL will not install without a valid encryption key.
The supplied password was correct, but Windows Installer (msiexec.exe) failed to open a handle to the policy object on the domain controller for saving the password that will be used by the PES service. The failure indicates that the user account didn't have the required permission.
The user who installs the PES service must be a member of the domain's built-in Administrators group.
In addition, if the user account isn't a member of the built-in Administrators account, and User Account Control (UAC) is enabled on the domain controller, the user runs with least user privileges after logon. To access the policy object on the domain controller for installing the PES service, the user must launch the Pwdmig.msi setup file with full privileges.
Ensure the user account who installs the PES service is a member of the domain's built-in Administrators group by running the whoami /groups command, and run the Pwdmig.msi setup file in an elevated command-prompt window launched with the Run as administrator option.
If you see that the output of the command whoami /groups looks like the following, it means the user logged in with least user privileges. Although they're a member of the built-in Administrators group, they don't have permissions to perform administrative tasks with this token.
Whoami /groups output:
|Everyone||Well-known group||S-1-1-0||Mandatory group, Enabled by default, Enabled group|
|BUILTIN\Administrators||Alias||S-1-5-32-544||Group used for deny only|
|BUILTIN\Users||Alias||S-1-5-32-545||Mandatory group, Enabled by default, Enabled group|