XADM: Strong Password Policy Prevents the ADC from Creating Enabled Users (297191)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
This article was previously published under Q297191

SYMPTOMS

When using the Active Directory Connector (ADC), you can configure a Connection Agreement (CA) to create enabled users in Active Directory when a mailbox is being replicated from Microsoft Exchange 5.5 for which the primary Windows account does not exist in the Windows domain. If you configure a CA to create enabled users and a strong password policy is in place in the Windows 2000 Active Directory domain, the user creation may not succeed. If ADC logging for category "LDAP Operations" is set to Minimum or higher, the following error will be logged in the Application log on the computer that is running the ADC:
Event Type: Error
Event Source: MSADC
Event Category: LDAP Operations
Event ID: 8021
Computer: ADCSERVER
Description:
LDAP Add on directory GCSERVER for entry
'cn=55user,CN=Users,DC=domain,DC=com'
was unsuccessful with error:[0x35] Unwilling To Perform
[ 0000052D: SvcErr: DSID-031A0B56, problem 5003
(WILL_NOT_PERFORM), data 0 ].
(Connection Agreement 'Exchange 5.5 to AD' #3516)

CAUSE

This behavior occurs because when the ADC creates enabled or disabled accounts, it does not set a strong password, which is not an issue for disabled users because strong password policy is not applicable to disabled user accounts.

RESOLUTION

To resolve this behavior, set the ADC to create disabled accounts instead of the enabled windows accounts; configure the CA to create disabled users:
  1. Open the ADC Management Microsoft Management Console (MMC).
  2. Expand the ADC Server folder that contains the CA.
  3. Right-click the CA, and then click Properties.
  4. Click the Advanced tab.
  5. Under When replicating a mailbox whose primary Windows account does not exist in the domain, click the Create a new Windows user account option.

MORE INFORMATION

For additional information about strong password functionality in Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

225230 Enabling Strong Password Functionality in Windows 2000

Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kbprb KB297191
©2004 Microsoft Corporation. All rights reserved.