Microsoft KB Archive/278359

= Account Expiration for a Migrated User Appears to Be One Day Ahead of or Behind the Date in the Source Domain =

Article ID: 278359

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q278359



SYMPTOMS
This article describes an inconsistency in the way the account expiration date is displayed in User Manager and in Active Directory Users and Computers for user accounts that are migrated from Microsoft Windows NT 4.0 to Windows 2000 or Windows Server 2003 domains by using either the Active Directory Migration Tool (ADMT) or Clone Principal.

ADMT and Clone Principal migrate users and their related attributes, such as username, security account manager (SAM) account name, home directory, profile path, and security-related attributes, such as account expiration and logon hours.

Note Windows Server 2003 includes a new version of Active Directory that adds new features but does not break compatibility with existing programs.

When you migrate user accounts from a Windows NT 4.0 source domain to a Windows 2000 or Windows Server 2003 destination domain, the account expiration date for the migrated account may appear to be one day ahead of or behind the expiration date that is defined in the source.

For example, if the account expiration date for a user account in a Windows NT 4.0 source domain appears as 12/31/2003 (December 31, 2003) in &quot;User Manager&quot; for domains, the expiration date of the migrated account may appear as 12/30/2003 (December 30, 2003) when you view it from the Active Directory Users and Computers snap-in. Similarly, an expiration date of 11/30/2003 in the source domain may appear as 11/31/2003 in the destination domain. Note that the dates that are used in the previous examples are not unique.

Even though the the accounts appear to have a 24-hour difference in account expiration, the values (large integers) that define the account expiration dates are the same in the source domain and destination domain. As for actually being able to log on, the &quot;expected&quot; expiration date (regardless of what the user interface displays) is enforced, plus or minus one hour.



CAUSE
The inconsistency occurs because of the way Windows NT 4.0 User Manager sets account expiration. Specifically, it does not consider scenarios where the current day is not in daylight-saving time, but the account expiration day is in daylight-saving time (or vice versa).



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
ADMT is a Microsoft Management Console (MMC) snap-in that is used to migrate user accounts, groups, and computer accounts from Windows NT 4.0 domains to Active Directory domains. ADMT is available in Windows Server 2003 in the i386\ADMT folder of the installation CD. Clone Principal is a set of a command-line scripts for Windows 2000 that performs a similar function.

Additional query words: admt cloneprin

Keywords: kbnetwork kbprb kbui KB278359

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.