Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Account Expiration for a Migrated User Appears to Be One Day Ahead of or Behind the Date in the Source Domain


View products that this article applies to.

This article was previously published under Q278359

↑ Back to the top


Symptoms

This article describes an inconsistency in the way the account expiration date is displayed in User Manager and in Active Directory Users and Computers for user accounts that are migrated from Microsoft Windows NT 4.0 to Windows 2000 or Windows Server 2003 domains by using either the Active Directory Migration Tool (ADMT) or Clone Principal.

ADMT and Clone Principal migrate users and their related attributes, such as username, security account manager (SAM) account name, home directory, profile path, and security-related attributes, such as account expiration and logon hours.
Note Windows Server 2003 includes a new version of Active Directory that adds new features but does not break compatibility with existing programs.
When you migrate user accounts from a Windows NT 4.0 source domain to a Windows 2000 or Windows Server 2003 destination domain, the account expiration date for the migrated account may appear to be one day ahead of or behind the expiration date that is defined in the source.

For example, if the account expiration date for a user account in a Windows NT 4.0 source domain appears as 12/31/2003 (December 31, 2003) in "User Manager" for domains, the expiration date of the migrated account may appear as 12/30/2003 (December 30, 2003) when you view it from the Active Directory Users and Computers snap-in. Similarly, an expiration date of 11/30/2003 in the source domain may appear as 11/31/2003 in the destination domain. Note that the dates that are used in the previous examples are not unique.

Even though the the accounts appear to have a 24-hour difference in account expiration, the values (large integers) that define the account expiration dates are the same in the source domain and destination domain. As for actually being able to log on, the "expected" expiration date (regardless of what the user interface displays) is enforced, plus or minus one hour.

↑ Back to the top


Cause

The inconsistency occurs because of the way Windows NT 4.0 User Manager sets account expiration. Specifically, it does not consider scenarios where the current day is not in daylight-saving time, but the account expiration day is in daylight-saving time (or vice versa).

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


More information

ADMT is a Microsoft Management Console (MMC) snap-in that is used to migrate user accounts, groups, and computer accounts from Windows NT 4.0 domains to Active Directory domains. ADMT is available in Windows Server 2003 in the i386\ADMT folder of the installation CD. Clone Principal is a set of a command-line scripts for Windows 2000 that performs a similar function.

↑ Back to the top


Keywords: KB278359, kbui, kbprb, kbnetwork

↑ Back to the top

Article Info
Article ID : 278359
Revision : 7
Created on : 2/28/2007
Published on : 2/28/2007
Exists online : False
Views : 404