Overcoming an All-Too Common M&A AD Integration Hiccup
Mergers and acquisitions can be tough for a variety of reasons – not the least of which is all of the moving pieces on the IT side. At Arraya, we’ve steered many companies and IT teams through these engagements. Over the years, we’ve learned plenty about making the process run more smoothly – including the tactics described below.
We began to notice a problem after end user identities and passwords were migrated from one Active Directory domain to another by way of the Windows Server Active Directory Migration Tool (ADMT). Once that migration was complete, users would be prompted to reset their passwords the next time they logged in to their account. This requirement is a default setting for ADMT.
For onsite users, this wasn’t much of an issue. They’d see the prompt, follow the steps and that was that. However, remote users connecting via VPN, or some other channel or portal, may not receive that prompt. Instead, their password would continue to be flagged as incorrect until they made a call to the Help Desk. From there, the password could be reset, letting the user get back to work.
Considering the hectic nature of the M&A process, a flood of calls about passwords is the last thing anyone needs. However, there is a workaround that can prevent this situation.
There are two ways for those handling the AD migration to solve this problem. Which path they take can depend on whether the accounts are all going to one location or if they’ll be dispersed across several – although one of these methods will work for either use case. Regardless of which is chosen, it should be executed before the newly-moved accounts are released to end users.
One option is to run a PowerShell script. The script can be programmed to toggle off the setting in AD which mandates password resets for recently-migrated end users. Admins give the script a list or domain of users to target and then the script handles the rest automatically.
This approach works best in situations where admins are migrating a large number of end users to a variety of different locations. It can also be used to migrate smaller groups of users into one location, as well. It’s up to the admin performing the migration to determine whether this method would be best in a given situation.
In order to execute this PowerShell command, from a domain controller, admins must:
- Launch PowerShell
- Import AD module to tell PowerShell which users to target
- Run PowerShell command containing instructions to turn off password resets for all included users
Another solution available to admins? They can correct things directly in AD. This is typically effective only if they’re migrating smaller groups of users into one central location. To solve the problem in AD, the admin must:
- Select the targeted group of end users
- Right click on it
- Click on the Properties option
- Under the Account section, click on the empty check box to the far left of the option which reads “User must change password before next log-in”
- Click “Apply”
By doing this, the admin will undo ADMT’s default option, ensuring remote users will be able to log-in without the help of the Help Desk.
By their very nature, M&A engagements are complex – and even frustrating. While it won’t eliminate either of those issues, the above method can at least ease the burden. Instead of dealing with a barrage password issues, this will keep the Help Desk free to handle the other concerns that are bound to crop up.
There is another way to reduce the frustration inherent in M&A scenarios: partnering with Arraya Solutions. Our team understands the challenges presented by M&A and we’ve compiled volumes of experience in the area. That knowledge has been distilled into our award-winning M&A in a Box service. This offering is built to assist organizations with the strategy, management, and execution of M&A projects.
To learn more about M&A in a Box, or to speak with a member of our Microsoft team to discuss the solution presented above, please visit: www.arrayasolutions.com/contact-us/. We’re also reachable through social media: Twitter, LinkedIn, and Facebook.