How do I prevent Domain Migration Administrator from overwriting a password on an existing user? (NETIQKB7833)

  • 7707833
  • 02-Feb-2007
  • 16-Aug-2007

Resolution

goal
How do I prevent Domain Migration Administrator from overwriting a password on an existing user?

fact
Domain Migration Administrator 6.x

fact
Domain Migration Administrator 7.x

symptom
Passwords are changed (overwritten) on user accounts that already exist in the target domain.

symptom
Passwords are overwritten when migrating accounts in 'Replace and Update' mode.

fix

To prevent Domain Migration Administrator (DMA) from overwriting a password on an existing user, select the 'Naming Conflicts' option to Ignore conflicting accounts and don't migrate.  However, if you are performing a user migration to update the properties of a user that already exists in the target domain, then you will want to use the 'Naming Conflicts' option Replace and Update conflicting  accounts.

When Replace and Update conflicting accounts is selected, properties of existing accounts in the target domain are changed to match the properties of the account with the same name in the source domain. (Note: If the source and target domains are in the same  forest, this option is not available.)  The password is one of the properties that is changed.

To prevent DMA from overwriting the password when migrating in Replace and Update mode, use the following unsupported workaround:

Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Make sure that you backup your Registry prior to making any changes.

Note:  This workaround has not been fully-regression tested in all environments; you should test this workaround in your lab environmentbefore attempting it in production.

  1. Rename the following registry key by adding a '1' or some other character.  (This will prevent DMA from finding the key.)
    • For DMA versions prior to 7.0:
      • HKEY_LOCAL_MACHINE\SOFTWARE\MissionCriticalSoftware\DMA\Extensions\MCSDMASetTargetPassword.SetPassword
    • For DMA versions 7.0 or later:
      • HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\DMA\Extensions\MCSDMASetTargetPassword.SetPassword
  2. Migrate the user accounts, selecting the Complex Passwords option on the 'Password Options' page.

Performing these two steps will "trick" DMA into attempting to create a complex password for an account, but it will not be able to since the registry key has been renamed. 



note

If you have modified this registry key, DMA will not create a complex password for any migrated users, whether or not the target  user account already exists.  If the target account does not exist, and you migrate selecting the Complex Passwords option, the new account will have a blank password.  If you find that you need DMA to create complex passwords for future migrations, simply return the key name to its original  state.



Additional Information

Formerly known as NETIQKB7833