phram3z
asked on
SBS 2003; can't change user passwords; "cannot find the file specified"
Hi experts,
I'm responsible for a small network of < 15 computers. We have one DC running SBS 2003 SP2 latest updates & hotfixes however I have a problem when I try to change an existing users password.
Currently on the DC, if I go to AD and select change or reset password i get the error message:
"
Windows cannot complete the password change for <user> because:
The system cannot find the file specified
"
There were no errors in any of the logs and this problem will also even occur if you try to change the password to a blank; we have password policies enabled so they have to be at least length 7 with certain complexities, so you'd expect a message about specified password not matching required password policies.
At the same time this problem arose, I was also unable to create a new user and received exactly the same error message. I managed to fix this by changing the permissions of the 'C:\users shared folders' folder. So based on that I think it might be a related permissions problem, although why would the permissions have changed, I have no idea, and also i'm not sure what files I would need to check the permissions on. Currently on 'users shared folders' they are set
Everyone has full sharing permissions.
Security Permissions:
Administrators : Full Control
CREATOR OWNER : Full Control
Domain Admins : Full Control
Domain Users : Full Control
Folder Operators : Full Control
Server Operators : Full Control
System : Full Control
'Inheritable permissions...' & 'replace permission entries...' checkboxes are unchecked.
Would anyone know which file is accessed by AD when a password change is attempted?
We migrated over a year ago, and I have been able to change passwords easily until a couple of months ago. Passwords recently expired and internal users were able to change their own passwords when prompted to. Some people only use remote mail and therefore do not access or work on an internal machine and have since been locked out.
Any ideas would be greatly appreciated.
Cheers,
Michael
Note: We did migrate from windows 2000 machine however there were never any Netware servers. Regardless, I've run the microsoft suggested solution in the case of Netware servers existing (Net user username /fpnw:no) and it didn't fix anything.
I'm responsible for a small network of < 15 computers. We have one DC running SBS 2003 SP2 latest updates & hotfixes however I have a problem when I try to change an existing users password.
Currently on the DC, if I go to AD and select change or reset password i get the error message:
"
Windows cannot complete the password change for <user> because:
The system cannot find the file specified
"
There were no errors in any of the logs and this problem will also even occur if you try to change the password to a blank; we have password policies enabled so they have to be at least length 7 with certain complexities, so you'd expect a message about specified password not matching required password policies.
At the same time this problem arose, I was also unable to create a new user and received exactly the same error message. I managed to fix this by changing the permissions of the 'C:\users shared folders' folder. So based on that I think it might be a related permissions problem, although why would the permissions have changed, I have no idea, and also i'm not sure what files I would need to check the permissions on. Currently on 'users shared folders' they are set
Everyone has full sharing permissions.
Security Permissions:
Administrators : Full Control
CREATOR OWNER : Full Control
Domain Admins : Full Control
Domain Users : Full Control
Folder Operators : Full Control
Server Operators : Full Control
System : Full Control
'Inheritable permissions...' & 'replace permission entries...' checkboxes are unchecked.
Would anyone know which file is accessed by AD when a password change is attempted?
We migrated over a year ago, and I have been able to change passwords easily until a couple of months ago. Passwords recently expired and internal users were able to change their own passwords when prompted to. Some people only use remote mail and therefore do not access or work on an internal machine and have since been locked out.
Any ideas would be greatly appreciated.
Cheers,
Michael
Note: We did migrate from windows 2000 machine however there were never any Netware servers. Regardless, I've run the microsoft suggested solution in the case of Netware servers existing (Net user username /fpnw:no) and it didn't fix anything.
Andrew Davis
you could try running filemon and regmon (allthough filemon is going to most likley answer the question). This will tell you what the server is trying to access when the failure happens.
ASKER
Hey Andrew,
Thanks for that, I'll check them out and let you know how I go.
Cheers,
Michael
Thanks for that, I'll check them out and let you know how I go.
Cheers,
Michael
ASKER
Filemon didn't really tell me much just that the process lsass.exe:412 is reading from c:\windows\ntds\ntds.dit which is the AD database file i believe. I've previously checked the permission settings and there's no reason they would be the cause. Currently the following users have full control over ntds.dit; Administrators, LOCAL SERVICE, SYSTEM, Users. Seems like a dead end to me.
Any ideas on where to go from here would be awesome.
Thanks,
Michael
Any ideas on where to go from here would be awesome.
Thanks,
Michael
ASKER
Regmon came up with the following activity for lsass
<<<<<<<<<<<<<<<<<<<<<<<<<<
35.69426346 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69660187 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69692993 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69910049 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.70262146 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
36.18303680 lsass.exe:412 OpenKey HKCU\Software\Microsoft\Wi
36.18322372 lsass.exe:412 OpenKey HKCU\Software\Microsoft\Wi
>>>>>>>>>>>>>>>>>>>>>>>>>>
User Shell Folders does exist, although not sure what to make of the buffer overflow, I've heard it's quite normal for buffer overflows, not found errors and failures to occur regularly, so this might be nothing.
Any ideas?
Thanks,
Michael
<<<<<<<<<<<<<<<<<<<<<<<<<<
35.69426346 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69660187 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69692993 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.69910049 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
35.70262146 lsass.exe:412 QueryValue HKLM\SECURITY\Policy\SecDe
36.18303680 lsass.exe:412 OpenKey HKCU\Software\Microsoft\Wi
36.18322372 lsass.exe:412 OpenKey HKCU\Software\Microsoft\Wi
>>>>>>>>>>>>>>>>>>>>>>>>>>
User Shell Folders does exist, although not sure what to make of the buffer overflow, I've heard it's quite normal for buffer overflows, not found errors and failures to occur regularly, so this might be nothing.
Any ideas?
Thanks,
Michael
ASKER
Just now I tried to add a new user and it was unsuccessful, so disregard my previous statement about being able to do that. The error for that is somewhat different though. On getting halfway through the user creation a windows popup appears
'
Data Execution Prevention
To help protect your computer, Windows has closed this program
Name : SBS Add User Wizard
Publisher : Microsoft Corporation
'
Unless Microsoft has finally realised their software is not computer friendly, this has got me stumped. Can't change user passwords and now user creation has died on me as well.
Any help would be great.
Thanks,
Michael
'
Data Execution Prevention
To help protect your computer, Windows has closed this program
Name : SBS Add User Wizard
Publisher : Microsoft Corporation
'
Unless Microsoft has finally realised their software is not computer friendly, this has got me stumped. Can't change user passwords and now user creation has died on me as well.
Any help would be great.
Thanks,
Michael
ASKER
The Data Execution Prevention error was solved, simply by adding Add User Wizard.exe to the exemptions list. See http://support.microsoft.com/default.aspx?scid=kb;en-us;897342
So i'm back to just the original problem of not being able to change a users password through AD.
Michael
So i'm back to just the original problem of not being able to change a users password through AD.
Michael
ASKER
Well, i fixed it, turn out that the admin profile was too big to be loaded so it was loading the default profile. After cleaning out the admin profile to a reasonable size i was able to change user passwords with no problems.
You should have been receiving a notification in the systray that the profile had exceeded the size limit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.