Pau Lo
asked on
AD user migration process
1) Can I ask, if you build a new active directory, how do you “migrate” accounts over? Is it a simple task?
2) If some of the existing accounts are set to have non-expiring passwords, and they were setup say 10 years ago, when the password policy was weak (i.e. 6 length, no complexity, expire every 6 months etc), if you migrate them over will they keep the same password properties in the new AD, if your new AD requires a new password policy, i.e. 12 length, meet complexity, expire every 3 months etc.
3) Our AD team seem to think migrating user objects from the old AD into the new AD will remove the issues with many accounts having weak and non-expiring passwords – what’s your view on this?
2) If some of the existing accounts are set to have non-expiring passwords, and they were setup say 10 years ago, when the password policy was weak (i.e. 6 length, no complexity, expire every 6 months etc), if you migrate them over will they keep the same password properties in the new AD, if your new AD requires a new password policy, i.e. 12 length, meet complexity, expire every 3 months etc.
3) Our AD team seem to think migrating user objects from the old AD into the new AD will remove the issues with many accounts having weak and non-expiring passwords – what’s your view on this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It sounds like moving to a new domain is way overkill just to deal with user accounts that have non expiring password. Why not just do a search on your current domain and make those users follow the password policy?
No the weak passwords isnt the justifacation for new domain, just one issue that would be nice to resolve during the migration
Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.
So, if the keep the settings, i.e. non expiring passwords, they will never need to change their password, thus they will never be forced to meet the policy in the new domain?
No the weak passwords isnt the justifacation for new domain, just one issue that would be nice to resolve during the migration
Once the accounts are migrated the settings on the accounts should remain the same as they were on the source domain. If the password policy is different than the users will need to meet that policy when they change their password.
So, if the keep the settings, i.e. non expiring passwords, they will never need to change their password, thus they will never be forced to meet the policy in the new domain?
Yes it will bring over the settings that the user currently has. However during the ADMT process there is also an option to force the user to change password on the next login to the new domain. This might be a way for you to force them to change it.
ASKER
Thanks, could you dig out a reference link to that option for me so I can show it to the migration team, if you have one handy that is. And anything that backs up that accounts migerated keep their password settings would be a great help to.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.quest.com/powershell/activeroles-server.aspx
The command would be get-qaduser -passwordneverexpires.
You could simply uncheck the password never expires option.