Troubleshooting Password Migration Issues

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)

This topic describes a known issue related to migrating passwords with the Active Directory Migration Tool.

Migrated passwords may not conform to the password policy of the target domain

Password migration in ADMT bypasses password policy checks. If a password policy is set, it is not enforced until the password is changed. For this reason, ADMT always requires migrated users to change their passwords the next time that they log on.

After an interforest migration, users cannot log on to their new domain.

Cause: When you perform an interforest migration, ADMT always sets the User Must Change Password option for migrated users. If the user account has the User Cannot Change Password option set, the target account cannot log on until one or both options have been changed.

Solution: Change the options by using one of the following procedures:

To enable the ability to change the user password

  1. In Active Directory Users and Computers, on the View menu, click Advanced Features.

  2. Right-click the user, and then click Properties.

  3. On the Security tab, allow the Change Password permission for Everyone and for the user.

To remove the User Must Change Password flag

  • In Active┬áDirectory Users and Computers, right-click the user, and then click Reset Password.

After an intraforest migration, users cannot log on to their new domain.

Cause: The user account passwords that were used in the old domain might violate the password restrictions in the new domain.

In an intraforest migration, user account passwords from the source domain are migrated to the target domain. If the source domain user accounts have passwords that violate password restrictions (such as minimum length) in the target domain, the affected migrated users cannot log on until their password has been set to a value that fits the target domain password policy.

If the users try to use the invalid passwords, their new user accounts might be locked. If you selected the Disable target accounts option in the User Account Migration Wizard, the new user accounts are disabled. As a result, the migrated users might not be able to log on until their accounts have been unlocked or marked as enabled.

Solution: Reset the user account passwords to a value that fits the new domain's password policy, and enable the user accounts if they were disabled as a result of repeated password failure.

Migrated users receive an error indicating that their user name or password is incorrect.

Cause: Migrated users cannot log on because of password policy, even though password policies appear to be disabled.

During a migration, some administrators may choose to disable their password policies on the target domain. If they try to accomplish this by turning off the minimum password length policy without setting the policy to zero, it is possible that the users cannot log on because a password policy is still in effect.

Solution: Set the minimum password length policy to zero. After the zero length policy is in effect, the minimum password length policy can be turned off.