This article describes an inconsistency in the way the
account expiration date is displayed in User Manager and in Active Directory
Users and Computers for user accounts that are migrated from Microsoft Windows
NT 4.0 to Windows 2000 or Windows Server 2003 domains by using either the
Active Directory Migration Tool (ADMT) or Clone Principal.
ADMT and
Clone Principal migrate users and their related attributes, such as username,
security account manager (SAM) account name, home directory, profile path, and
security-related attributes, such as account expiration and logon hours.
Note Windows Server 2003 includes a new version of Active Directory
that adds new features but does not break compatibility with existing
programs.
When you migrate user accounts from a Windows NT 4.0
source domain to a Windows 2000 or Windows Server 2003 destination domain, the
account expiration date for the migrated account may appear to be one day ahead
of or behind the expiration date that is defined in the source.
For
example, if the account expiration date for a user account in a Windows NT 4.0
source domain appears as 12/31/2003 (December 31, 2003) in "User Manager" for
domains, the expiration date of the migrated account may appear as 12/30/2003
(December 30, 2003) when you view it from the Active Directory Users and
Computers snap-in. Similarly, an expiration date of 11/30/2003 in the source
domain may appear as 11/31/2003 in the destination domain. Note that the dates
that are used in the previous examples are not unique.
Even though
the the accounts appear to have a 24-hour difference in account expiration, the
values (large integers) that define the account expiration dates are the same
in the source domain and destination domain. As for actually being able to log
on, the "expected" expiration date (regardless of what the user interface
displays) is enforced, plus or minus one hour.