M100626: Migrating user profiles to computers joined to Windows 2000 Server or Windows 2003 Server domains

ManageSoft for Windows Deployment provides the ability to capture user personality profiles from a target machine using a remote execution task. The user personalities are then injected onto the migrated machine during the postwork phase. User personality migration fails on computers joined to Windows 2000 Server or Windows 2003 Server domains if the password policy account password length setting is set to a value greater than zero (0). This article describes why this occurs, and how to work around the issue.

THE CONTENT OF THIS ARTICLE WAS INCORPORATED INTO THE MANAGESOFT GUIDE for WINDOWS DEPLOYMENT AT RELEASE 7.5. ANY RELEVANT UPDATES TO THIS CONTENT WILL BE MADE IN TO THAT GUIDE.

Refer to the ManageSoft Guide for Windows Deployment for more details about the personality migration process.

Introduction

ManageSoft for Windows Deployment fails to inject (and consequently create) local user profiles on computers in Windows 2000 Server and Windows 2003 Server Active Directory environments if the password length setting is greater than zero (0). This is because during the injection phase, the default password set for all local user accounts is NULL. (The NULL setting forces users to change their passwords the first time they log in to the computer using this local account.)

To enable injection of local user profiles onto machines that are joined to a Windows 2000 or Windows 2003 Server domain, perform the following steps on your domain controller before performing a Windows deployment.

On Windows 2000 Server

To enable injection of local user profiles onto machines that are joined to a Windows 2000 domain, complete the following steps on your domain controller:

  1. Open Active Directory Users and Computers (Start > Programs > Administrative Tools > Active Directory Users and Computers).
  2. Right-click the root container for the domain, and select Properties.

    The <DOMAIN Name> Properties dialog is displayed.

  3. Click the Group Policy tb.
  4. From the Current Group Policy Object Links for <DOMAIN Name> list, double-click Default Domain Policy.

    The Group Policy window is displayed.

  5. Expand Computer Configuration > Windows Settings > Security Settings > Account Policies, and select Password Policy.
  6. Double-click the Minimum password length policy.

    The Security Policy Setting dialog is displayed.

  7. Check the Define this policy setting box.
  8. In the characters field, enter 0.

    With a value of 0, the prompt above the field reads No password required:, otherwise it reads Password must be at least:.

  9. Click OK to close the Security Policy Setting dialog.
  10. Close the Group Policy window.
  11. Click OK to close the <DOMAIN Name> Properties dialog.
  12. Close the Active Directory Users and Computers window.

    With zero-length passwords allowed, user profile injection will complete successfully.

On Windows 2003 Server

To enable injection of local user profiles onto machines that are joined to a Windows 2003 Server domain, complete the following steps on your domain controller.

  1. Open Active Directory Users and Computers (Start > All Programs > Administrative Tools > Active Directory Users and Computers).
  2. Right-click the root container for the domain, and select Properties.

    The <DOMAIN Name> Properties dialog is displayed.

  3. Click the Group Policy tab.
  4. From the Current Group Policy Object Links for <DOMAIN Name> list, double-click Default Domain Policy.

    The Group Policy Object Editor window is displayed.

  5. Expand Computer Configuration > Windows Settings > Security Settings > Account Policies, and select Password Policy.
  6. Double-click the Minimum password length policy.

    The Minimum password length Properties dialog is displayed.

  7. Check the Define this policy setting box.
  8. In the characters field, enter 0.

    With a value of 0, the prompt above the field reads No password required:, otherwise it reads Password must be at least:.

  9. Click OK to close the Minimum password length Properties dialog.
  10. Close the Group Policy Object Editor window.
  11. Click OK to close the <DOMAIN Name> Properties dialog.
  12. Close the Active Directory Users and Computers window.

    With zero-length passwords allowed, user profile injection will complete successfully.

Comments

Powered by Zendesk