question

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ asked DaisyZhou-MSFT answered

Problem with passwords migration (ADMT)

HI,
I have 2 AD domains in one forest. In every domain I have a the same password policy set with minimum password lenght 10 and password complexity.
I have to synchronize password between one and second AD domain.
I try to synchronize password by ADMT password command script.
Logged user can change the password with fulfilled requirements. But when I try to migrate password I received error:

 WRN:7557 Failed to copy the password for user. A strong password has been generated instead.  Unable to copy password. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

I user change the password to very hard, the copy of password bas status Successful.

Do the ADMT tool use another set of password complexity ?
Best regards

windows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous user,

Thank you for posting here.

Based on my knowledge, if you want to migrate user password, you need to install Password Export Server onto a domain controller in the source domain.

For more information about installing Password Export Server, please refer to links below.

How to Migrate Users Across Forest (Cross Forest) Using ADMT 3.2 with SID and Passwords
https://social.technet.microsoft.com/wiki/contents/articles/13904.how-to-migrate-users-across-forest-cross-forest-using-admt-3-2-with-sid-and-passwords.aspx


ADMT Series – 4. Password Export Server
https://blog.thesysadmins.co.uk/admt-series-4-password-export-server.html

After that, when you migrate user, check the option "migrate password" as in the link below.

ADMT Series – 8. User Account Migration Wizard
https://blog.thesysadmins.co.uk/admt-series-user-account-migration-wizard.html



Meanwhile, based on "I try to synchronize password by ADMT password command script.", what is the ADMT password command script and how did you synchronize password by ADMT password command script?



Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered $$ANON_USER$$ edited

Thank you for your answer.
I have installed the Password Export Server and user and password migration works.
But I have to automate the password migration (synchronization) between domains. Users have the same account in one and second domain. When user change then password in domain1, the password should be migrate to domain2.
In both domains are used the PasswordPolicy with requirements:
- min. 10 characters
- password complexity.
- According documentation and my tests the password complexity must meet 3 of these requirements:

 English uppercase characters (A through Z)
 English lowercase characters (a through z)
 Base 10 digits (0 through 9)
 Non-alphabetic characters (for example, !, $, #, %)


If user change the password with meet 3 of these requirements and I try to migrate this password I received this error:
WRN:7557 Failed to copy the password for user. A strong password has been generated instead. Unable to copy password. Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.


If user change the password with meet 4 of these requirements, migration of password works. It looks like ADMT use another requirements of the password complexity.

Best regards




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous user,

I am so glad to receive your reply.

Would you please create a test user in target domain and then set his/her password with meet 3 of these requirements, check if you can create this user and set his/her password successfully.


If not, did you set Password Filter in target domain?

For more information about Password Filter, please refer to links below.


https://docs.microsoft.com/en-us/windows/win32/secmgmt/password-filters

https://docs.microsoft.com/en-us/windows/win32/secmgmt/using-password-filters

https://docs.microsoft.com/en-us/windows/win32/secmgmt/installing-and-registering-a-password-filter-dll


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered ukaszwitkowski-0855 commented

Hello,
I created the test user with password with meet 3 of these requirements and I didin't receive any error.
I checked the Password Filted and I found value of Notification Packages = rassfm scecli in this system registry key

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Lsa

I checked the local Account Policies and option "Passwords must meet complexity requirements" is disabled.

I will mark that the above error occurs only with users which belogs to group with PasswordPolicy set.

Best regards

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,

Thank you for your update.

So is the original problem resolved?

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello anonymous user,

Based on the description "I will mark that the above error occurs only with users which belogs to group with PasswordPolicy set.", what is the PasswordPolicy set? Did you set up FGPP for one group?

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

The PasswordPolicy is password settings contains in Active Directory container:
domain/System/Password Settings Container.105717-passwordpolicy.png

These settings are applied to AD Group. Users are members of this group.
We have 3 different Password settings with 3 groups.

This is exacly the FGPP.

0 Votes 0 ·
passwordpolicy.png (58.8 KiB)
$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ answered

Hello,
Problem wasn't resolve.
I still don't know what the difference between password setting by user and password migration by ADMT come from.

Best regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered $$ANON_USER$$ commented

Hello anonymous user,

Thank you for your update.

Did you deploy FGPP for AD group with some users only in the target domain?

If so, I suggest you can migrate two test users in source domain to target domain as below:

Create two test user accounts in source domain.

User1 in source domain belongs to gourp1 =>apply password policy within Default Domain Policy (the same password policy as in target domain)
User2 in source domain belongs to group2 =>apply password policy in FGPP (the same password policy as in target domain)

User1 in target domain belongs to gourp11 =>apply password policy within Default Domain Policy (the same password policy as in source domain)
User2 in target domain belongs to group22 =>apply password policy in FGPP (the same password policy as in source domain)

Test the following entries:

Test User1 meets 3 of these requirements and try to migrate this password.
Test User1 meets 4 of these requirements and try to migrate this password.

Test User2 meets 3 of these requirements and try to migrate this password.
Test User2 meets 4 of these requirements and try to migrate this password.

Then check if you can migrate them successfully.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,
The FGPP has been deployed in the target and the source domain with the same settings.

Best regards.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello anonymous user,

I have tested it in my lab, and I can migrate user with meet 3 of these requirements.

1-Set up FGPP in source domain and target domain.

2-Create user account and password.

3-Apply the user to use FGPP.

4-I can migrate this user.

Are my steps the same as yours?

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,
On test accounts it also works (with meet 3 of these requirements)
Generally on test accounts it works. On real user accounts not always. I don't know why.
In target domain the FGPP will be disabled because in source domain the FGPP works.
While password is migrate, in source domain the password must met requirements. So in target domain the FGPP is not needed.
During the coming days tests will be doing on real users accounts again.
Propably the issue has been solved.

Best regards

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous user,

Thank you for your update.

Hope everything goes well in the future.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.