Ada Pan [MSFT]
Guest
|
 Posted:
Mon Nov 14, 2005 8:54 am Post subject:
RE: password migration issue |
|
|
Hello Rob,
According to your description, I understand that you don't want the
migrated user to be prompted to change the password.
In Windows Server 2003, if password is set using the hash, the "ser must
change password at next logon" attribute is set automatically by the
system. ADMT can not retrieve the clear text password and use the hash of
the password so user was forced to change the password at next logon
You may use a registry key to control this:
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Value name: SamRestrictOwfPasswordChange
Data type: REG_DWORD
Allowed values: 0, 1, 2
0 - old behavior, client can change password through OWF password change
API, and the new password remains unexpired.
1 - .NET Server default behavior, client can change password through OWF
password change API SamrChangePasswordUser), but the password expires
immediately.
2 - more secure behavior, client can''''t use OWF password change API. This
API (SamrChangePasswordUser) will be totally disabled and return
STATUS_ACCESS_DENIED for all clients except for LocalSystem and members of
builtin administrators group.
Please set the SamRestrictOwfPasswordChange to 0 on all the DCs so that the
migrated users will not be prompted to change password.
Hope it helps!
Regards,
Ada Pan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights. |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in