Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 2004090 - Last Review: June 24, 2010 - Revision: 7.0
ADMT 3.1 PES installation fails with error "The supplied password does not match this encryption key's password."
Configuring the Password Export Server (PES) service on Active Directory Migration Tool version 3.1 on the source domain PDC Emulator role holder using the ADMT KEY command shown below fails with the following on-screen error:
Command-line syntax:
ADMT KEY /OPTION:CREATE /SOURCEDOMAIN:<ADMT source domain> /KEYFILE:x:\<path>\<filename>.pes /PWD:*
On-screen error:
Dialog Title text: Invalid Password!
Dialog message text:
The supplied password does not match this encryption key's password. ADMT's Password Migration Filter DLL will not install without a valid encryption key.
The supplied password was correct, but Windows Installer (msiexec.exe) failed to open a handle to the policy object on the domain controller for saving the password that will be used by the PES service. The failure indicates that the user account did not have the required permission.
The user who installs the PES service must be a member of the domain's built-in Administrators group.
In addition, if the user account is not a member of the built-in Administrators account, and User Account Control (UAC) is enabled on the domain controller, the user runs with least user privileges after logon. To access the policy object on the domain controller for installing the PES service, the user must launch the Pwdmig.msi setup file with full privileges.
Ensure the user account who installs the PES service is a member of the domain's built-in Administrators group by running the whoami /groups command, and run the Pwdmig.msi setup file in an elevated command-prompt window launched with the Run as administrator option.
If you see that the output of the command whoami /groups looks like the following, it means the user logged in with least user privileges. Although they are a member of the built-in Administrators group, they do not have permissions to perform administrative tasks with this token.
Whoami /groups output:
|
Group Name |
Type |
SID |
Attributes |
|
========== |
========== |
========== |
========== |
|
Everyone |
Well-known group |
S-1-1-0 |
Mandatory group, Enabled by default, Enabled group |
|
BUILTIN\Administrators |
Alias |
S-1-5-32-544 |
Group used for deny only |
|
BUILTIN\Users |
Alias |
S-1-5-32-545 |
Mandatory group, Enabled by default, Enabled group |
|
…. |
|
|
|
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See
Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
APPLIES TO
- Windows Server 2008 Service Pack 2
- Windows Server 2008 Standard
- Windows Server 2008 Standard without Hyper-V
- Windows Server 2008 Datacenter
- Windows Server 2008 Datacenter without Hyper-V
- Windows Server 2008 Enterprise
- Windows Server 2008 Enterprise without Hyper-V
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate