NT4 to W2K3 Password Migration Failure

External Since: Oct 15, 2003 Posts: 1

I am trying to get the Password Migration feature of the
ADMT migration utility to work and every time I migrate a
user the logs report
"WRN1:7557 Failed to copy the password for {user.} A
strong password has been generated instead. Unable to
copy password. Access is denied"
I found the whitepaper "How to Troubleshoot Inter-Forest
Password Migration with ADMTv2" and checked that
everything was correctly setup and everything look
correct.

Please help, I have ran out of things to try.

External Since: Sep 25, 2003 Posts: 232

Dear Dave,

Thank you for your post. Let's check the following two configuration items
in the target domain:

1. Check the setting of the following security option in group policy:

Default Domain Controllers Policy/Computer Configuration/Windows
Settings/Security Settings/Local Policies/Security Options/Additional
Restrictions for Anonymous Connections

The default setting for this option is Not defined. If the No access
without explicit anonymous permissions option is selected on the domain
controllers, then the "Access Denied" error will occur. Selecting the Rely
on default permissions option will prevent the "Access Denied" error.

2. Check the permissions on the CN=Server,CN=System,DC=¡ object, which can
be viewed by clicking Active Directory Users and Computers on the View menu
when Advanced Features is enabled. The password export server (PES)
requires that the Pre-Windows 2000 Compatible Access group have the "Read
All Properties" direct permission for the CN=Server,CN=System,DC=... object.

If the "Read All Properties" permission for the CN=Server,CN=System,DC=...
object is removed, an "Access Denied" error will occur when attempting to
copy a password.

Please let me know if the problem can be resolved.

Thank you for using our news group!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Content-Class: urn:content-classes:message
|From: "Dave" <xskullr1.TakeThisOut@gte.net>
|Sender: "Dave" <xskullr1.TakeThisOut@gte.net>
|Subject: NT4 to W2K3 Password Migration Failure
|Date: Wed, 15 Oct 2003 13:38:08 -0700
|Lines: 12
|Message-ID: <06f501c3935c$3e4fb030$a301280a@phx.gbl>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|Thread-Index: AcOTXD5PqIvMoGopSiyKl6D24exb7w==
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Newsgroups: microsoft.public.windows.server.migration
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:4301
|NNTP-Posting-Host: TK2MSFTNGXA11 10.40.1.163
|X-Tomcat-NG: microsoft.public.windows.server.migration
|
|I am trying to get the Password Migration feature of the
|ADMT migration utility to work and every time I migrate a
|user the logs report
|"WRN1:7557 Failed to copy the password for {user.} A
|strong password has been generated instead. Unable to
|copy password. Access is denied"
|I found the whitepaper "How to Troubleshoot Inter-Forest
|Password Migration with ADMTv2" and checked that
|everything was correctly setup and everything look
|correct.
|
|Please help, I have ran out of things to try.
|