Microsoft KB Archive/297191

= XADM: Strong Password Policy Prevents the ADC from Creating Enabled Users =

Article ID: 297191

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q297191



SYMPTOMS
When using the Active Directory Connector (ADC), you can configure a Connection Agreement (CA) to create enabled users in Active Directory when a mailbox is being replicated from Microsoft Exchange 5.5 for which the primary Windows account does not exist in the Windows domain. If you configure a CA to create enabled users and a strong password policy is in place in the Windows 2000 Active Directory domain, the user creation may not succeed. If ADC logging for category &quot;LDAP Operations&quot; is set to Minimum or higher, the following error will be logged in the Application log on the computer that is running the ADC:

Event Type: Error

Event Source: MSADC

Event Category: LDAP Operations

Event ID: 8021

Computer: ADCSERVER

Description:

LDAP Add on directory GCSERVER for entry

'cn=55user,CN=Users,DC=domain,DC=com'

was unsuccessful with error:[0x35] Unwilling To Perform

[ 0000052D: SvcErr: DSID-031A0B56, problem 5003

(WILL_NOT_PERFORM), data 0 ].

(Connection Agreement 'Exchange 5.5 to AD' #3516)



CAUSE
This behavior occurs because when the ADC creates enabled or disabled accounts, it does not set a strong password, which is not an issue for disabled users because strong password policy is not applicable to disabled user accounts.



RESOLUTION
To resolve this behavior, set the ADC to create disabled accounts instead of the enabled windows accounts; configure the CA to create disabled users:
 * 1) Open the ADC Management Microsoft Management Console (MMC).
 * 2) Expand the ADC Server folder that contains the CA.
 * 3) Right-click the CA, and then click Properties.
 * 4) Click the Advanced tab.
 * 5) Under When replicating a mailbox whose primary Windows account does not exist in the domain, click the Create a new Windows user account option.



MORE INFORMATION
For additional information about strong password functionality in Windows 2000, click the article number below to view the article in the Microsoft Knowledge Base:

225230 Enabling Strong Password Functionality in Windows 2000

Keywords: kbprb KB297191

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.