password sync problems

[Cered]

I'm not sure where to post this, I think it may be a Windows 2003 problem, but since it's the syncing of passswords between the two, I'm going to post in both places.

We're in the process of extracting ourselves from our "parent" company and going out on our own, so we have create a new Windows Domain and are in the process of pulling our workstations (either XP or 2000) into the new Domain. We have over 300 workstations to pull over, and we were able to pull from novell the user names and the password assiocaited with it. So when we get the workstation on the new domain and we're logging into the computer, the novell box comes up and the novell password is put in and then they get a windows log in box, with the sync check box, which they check and then they put in the windows password - which is different from the novell password. They then get an error saying the the passwords cannot be synced since the novell password is too short, or has been used before.

I have "dumbed down" the password requirement of the window side so that shouldn't be an issue - nor should the fact that the password was used before, since the user has just become a memeber of the new domain.

Thanks in advance for the help.

 

[terry712]

from your description - it's like you have the use unique password option set - this will mean you cant use pwd again for about 8 goes

although it sounds like you have already logged into netware and it's coming from ms

i assume your not using account management or zen
definately an easier way to go

 

[Provogeek]

A nice setup that would make your life easier would be to the Nsure Identity Manager (DirXML2.0).

You can use this product to sync the user ID's and passwords in NDS to the old AD forest and using NDS as the base, replicate those users into your new AD forest.

But the problem you have right now is with the Windows Password Policy on the 2003 box. You can try disabling it all together, which is what I had to do to get a password sync in DirXML to function properly. By default eDirectory does not enable the password policy (avilable in eDir87.3, not sure about 86 though). Windows by defualt uses a restrictive password policy that can interfear with NetWare. So you should inspect your password policy to ensure it does not have a setting that conflicts with the Novell dumed down password rules that have been avilable since creation.

You can also enable to Novell password policy (done through iManager) and make it more restrictive than the Windows password policy. Just remember, the policy will flow down the tree, but stop at a partition. Assign a password policy to each partition you want it to be used with.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case
Senior Network Engineer

http://www.kiscc.com

 

[Cered]

Brent,
When I do CTRL-ALT-DEL 'Change password', I get a message that the password casnnot be change due to it being too short or having been used before. as far as the permissions are concerned when I go into the Default Domain Security tab, the following is set:

Enforce password history not defined
Maximum Password age 40 days
Minimum Password age 1 days
Minimum Password lenght 3 characters
Password must meet complexity requirements Disabled
store passwords using reversible encryption Disabled

Am I in the right place?

 

[Provogeek]

There is more to the windows password policy, your only looking at the pure basics.

Not a windows guy so I can't point you the place in windows to find this .. I don't know were it is.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case
Senior Network Engineer

http://www.kiscc.com