When migrating accounts with ADMT I noticed that the target (i.e. migrated) account automatically receives the User must change password at next logon flag.  This occurs even if you configure the target account state to be Target same as source and the Source does not have this flag set.

I was a little surprised at this as I did not remember this happening with previous versions of ADMT, but then I found information that suggests it is a security feature of the APIs that ADMT uses.  Windows 2003 is more restrictive than was the case with Windows 2000. The information is available in the following links:

http://www.mcse.ms/message1660180.html
http://www.eggheadcafe.com/forumarchives/windowsservermigration/feb2006/post25476073.asp

 
The information provided by these two Microsoft engineers suggests a workaround of un-setting the flag after the target account is created.
 
This is fine, but they also suggest that modifying the SamRestrictOwfPasswordChange registry key value to 0 will change the behaviour of the API so that the flag isn't set. I tried this in my test lab, but couldn’t get it to work.

I have since found out that ADMT explicitly sets pwdLastSet to 0.  This sets the User must change password at next logon flag.  Because the flag is set explicitly by ADMT, modifying the SamRestrictOwfPasswordChange registry setting will have no effect.

A script sample to unset the flag can be found in the link below.  It involves setting the pwdLastSet attribute value to -1.

http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx?mfr=true