Flexible Security For Your Peace of Mind

Migrating users with sub-objects can fail

(Last updated on February 5, 2021)

Specops Password Reset (SPR) and Specops Password Policy (SPP) take full advantage of Active Directory. SPR creates a classStore Object called specops-spp-passwordreset. SPP creates a classstore Object called specops-spp-passwordhistory. Both of these objects can prevent migration tools, such as Active Directory Migration Tool (ADMT), from successfully migrating the user object.

Note: The latest version of Specops Password Policy (version 7.1 or later) allows the domain admin group to delete the SPP sub-object without any further modification. If however your migration process is running without domain admin privileges, follow the steps below.

How do I remove the classStore Objects created by Specops?

Organizations will need to delete this information prior to the migration. Deleting the history object means that the password history for that user will be gone and begin to be rebuilt. Deleting the passwordReset data means the user will need to re-enroll when they log into the target domain.

Specops provides a tool that can deal with this situation and more. It is placed in the program files directory under the admin tools for the given product.

Help Content

In the most recent build of Specops Password Solutions the help file is missing. Below is the help content.


SpObjMgr.exe {PasswordPolicy | PasswordReset} <base DN> {DELETE |ENABLE_INHERIT |GRANT_FC <AccountName>}


PasswordPolicy: operate on SPP password history objects.

PasswordReset:  operate on SPR password reset settings objects.

<base DN>: distinguished name of the entry at which to start the search.

DELETE: deletes all objects found underneath the given base DN.

ENABLE: INHERIT enables inheritance on all objects found underneath the given base DN.

GRANT_FC: grants full control for given account on all objects found underneath the given base DN.

<AccountName>: name of account, specific as <domain><user>


SpObjMgr.exe PasswordPolicy “OU=accounts,DC=acme,DC=local” DELETE (deletes all password history object in the OU)

SpObjMgr.exe PasswordPolicy “CN=Minnie Mouse,OU=Accounts,DC=Acme,DC=local” DELETE (deletes the password history object for the specific user)

SpObjMgr.exe PasswordReset “OU=Accounts,DC=acme,DC=local” GRANT_FC acmesu (grants the user ‘su’ full control on all password reset objects in the OU)

Tags: , ,

Back to Blog