Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Group policies don't work unable to change passwords.

Posted on 2006-04-05
29
Medium Priority
?
984 Views
Last Modified: 2012-05-05
Hi there.

I have this huge problem.
We have a windows 2003 standard server in our datacentre. It is a PDC and is also running exchange. There are no other machines in this domain. I did a clean install on this server before it went to the datacentre. Only thing was that I changed the policy for password complecity. This worked fine, and I put all the users into ad with a nice simpel password for the time being.

Now that the server is in the datacentre and I'm moving clients to use this machines webmail I will also have to change the passwords to the ones provided to me by the users.

That was the momment I got the following error.

Windows cannot complete the password change for (username) because, Windows cannot find the networkpath. Verify thatthe networkpath is correct and the destination computer is not busy or turned of.

Also in the event log I have these two id's popping up.
Userenv 1058:
Windows cannot acces the file gpt.ini

(note: this weird cause the file exists in this location and the rights assigned are all in order)

Userenv 1030:
Windows cannot querry for list of group policy objects

I found a hotfix for it as descriped in KB article 842804
This could not be installed cause Sp1 is newer.
Also I found an article in this forum wich suggested I use the Dfsutil /purgemupcache.
No results whatsoever. I checked if the netlogon and sysvol share are present and have the correct rights assigned. This is the case

I also checked if there is is a Dword value (WaitForNetwork ) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
There was not so I created it. No results whatsoever. I also reinstalled Sp1. Also no Results.

Any help is appreciated.
I have 80 people with no email at this momment.


0
Comment
Question by:dutchgeek
  • 12
  • 11
  • 6
29 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16379713
Hi dutchgeek,

make sure you have the TCPIP helper service enabled and running

then run DCDIAG for me

Cheers!
0
 

Author Comment

by:dutchgeek
ID: 16379814
Here you are:

    Computer Name: NL01EXC001
    DNS Host Name: NL01EXC001.nl.fitnessfirst.local
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB905414
        KB905915
        KB908519
        KB909520
        KB910437
        KB911564
        KB911927
        KB912919
        KB913446
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : InterNet

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : NL01EXC001
        IP Address . . . . . . . . : 217.194.116.40
        Subnet Mask. . . . . . . . : 255.255.255.240
        Default Gateway. . . . . . : 217.194.116.33
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : NL01EXC001
        IP Address . . . . . . . . : 10.85.15.8
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 10.85.15.8


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
    2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.85.15.8'.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
    The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
0
 

Author Comment

by:dutchgeek
ID: 16379893
Sorry that was netdiag, here is dcdiag:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\NL01EXC001
      Starting test: Connectivity
         ......................... NL01EXC001 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\NL01EXC001
      Starting test: Replications
         ......................... NL01EXC001 passed test Replications
      Starting test: NCSecDesc
         ......................... NL01EXC001 passed test NCSecDesc
      Starting test: NetLogons
         ......................... NL01EXC001 passed test NetLogons
      Starting test: Advertising
         ......................... NL01EXC001 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NL01EXC001 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NL01EXC001 passed test RidManager
      Starting test: MachineAccount
         ......................... NL01EXC001 passed test MachineAccount
      Starting test: Services
         ......................... NL01EXC001 passed test Services
      Starting test: ObjectsReplicated
         ......................... NL01EXC001 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NL01EXC001 passed test frssysvol
      Starting test: frsevent
         ......................... NL01EXC001 passed test frsevent
      Starting test: kccevent
         ......................... NL01EXC001 passed test kccevent
      Starting test: systemlog
         ......................... NL01EXC001 passed test systemlog
      Starting test: VerifyReferences
         ......................... NL01EXC001 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : nl
      Starting test: CrossRefValidation
         ......................... nl passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nl passed test CheckSDRefDom
   
   Running enterprise tests on : nl.fitnessfirst.local
      Starting test: Intersite
         ......................... nl.fitnessfirst.local passed test Intersite
      Starting test: FsmoCheck
         ......................... nl.fitnessfirst.local passed test FsmoCheck
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380003
dutchgeek,

hmm your server looks well and healthy!

think you are going to need to reset your group policy

Dcgpofix
Gpupdate /force
0
 

Author Comment

by:dutchgeek
ID: 16380158
Thanks a lot for your quick responses!!!!
The following happened. Do you have any sugestions?

WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
 The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied.
The restore failed.  See previous messages for more details
0
 

Author Comment

by:dutchgeek
ID: 16380172
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380226
i have seen those NTFS permissions go slightly askew but you mentioned above that you had already checked them so i didnt bother :)

let me know how you go  

happy to help mate :)
0
 

Author Comment

by:dutchgeek
ID: 16380256
Yeah I mentioned it but I thought what the hack check it again. Turns out I checked properly all permissions are set as described in this EE article.
Also Yesterday I installed Trend mailscan for Exchange. I just removed it but you can probably guess the outcome. No result whatsoever.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16380306
Are you sure this server is 2003??

DNS Host Name: NL01EXC001.nl.fitnessfirst.local
    System info : Windows 2000 Server (Build 3790)

0
 

Author Comment

by:dutchgeek
ID: 16380338
Yeah this worried me aswell!! Yes I'm sure it is windows 2003 standard sp1
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 1400 total points
ID: 16380354
Check the binding order of your NICs.  The internal (private addressing) needs to be at the top.
All services such as DNS and/or DHCP need to be listening only on the internal IP address.
Make sure to disable the following on the external NIC:

Client for MS Networks
File and Print Sharing
NetBIOS over TCP/IP (on the WINS tab from Advanced properties of TCP/IP)
Uncheck all option on the DNS tab to register in DNS.

0
 

Author Comment

by:dutchgeek
ID: 16380382
I was just about to let you know that this looks as the problem. I'm rebooting now. Ichecked the binding order and than did a gpo update
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380438
cant beleive i missed that bit of info...... apologies
0
 

Author Comment

by:dutchgeek
ID: 16380471
Not fully working yet.
I get different error when changing PAsswords. It say it does not meet complexity requirements. This funny cause these policies are all set to not defined. Both in domain as in domaincontroller security. I'm doing the dcgpofix now and a reboot. Really hope this works let you know ASAP
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380494
you will need to edit the default domain controller policy and turn off password complexity if you dont want it configured - looks like your problems solved though!

comp config - windows settings - security settings - password policies

disable password complexity - if you dont want it
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16380538
"you will need to edit the default domain controller policy "

Close.... :o)

The Default Domain Policy is where this comes from in the Domain.  The Default DC Policy only affects the DC itself (like local group policy on a client).

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380547
comp config - windows settings - security settings -account policies - password policies

thats what i meant to say!   you can also edit this in the default domain policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380549
sorry netman should have refreshed    
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16380564
You're doing just fine Jay!

0
 

Author Comment

by:dutchgeek
ID: 16380627
Mmmh solved most of it but still a problem with setting password.
I keep getting error on pasword requirements. I have set lenght to not defined and complexity to disabled. Did gpupdate /force even rebooted the system. Still I cannot change password to a simpel four letter word.
I thought this mabey had to do with the fact that did the dcgpofix so I just created a new user and tried a four letter password. Same effect. It does not meet the requirements. I'm starting to go slightly mad.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 600 total points
ID: 16380659
did you do this on the default domain policy (got it this time!) or the default domain controller policy - have seen it need to be done on both for some reason
0
 

Author Comment

by:dutchgeek
ID: 16380858
By default the domain controller policy has all options set to not defined.
I did the changes on the domain security policy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380917
set those settings on the Domain controller policy to disabled
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16380935
off to bed my friend, if ya get stuck just post again and either myself or netman will help u out :)

gnite to you both!
0
 

Author Comment

by:dutchgeek
ID: 16381802
Goodmorning Guy's sleep well?
I've got the problem fixed. I installed the gpmc from microsoft. This showed two policies for the domain. number one being linked but had a red cross in front of it. number two being the default domein policy. I removed the first one than the second ofcourse became neumber one. Than I linked it.

Furthermore I had to set minimum password lenght to 0 instead of disabled. This is really weird because I have an identical machine right next to me. Here it is just set to disable and works fine. But hee as long as it works I am not complaining!!!
Since there's two of you I will be splitting the points. 350 for Netman66 since he came up with the intial solution. 150 for Jay Jay for his quick responses and assisting answers.
Thanks a lot guy's!!!!!!!!!!
0
 

Author Comment

by:dutchgeek
ID: 16381887
Sorry it's getting late here as well. I did the points right but I messed up the accepted and assited answer.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16382884
Not a problem at all.  Glad to help.

NM
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16386752
thankyou and no problem - cheers

Thanks Netman for picking up what i missed!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16386879
Not here to criticize or find fault in you Jay, you did just fine.  Multi-homed servers that run services are pretty fussy on what NIC they bind the services to.  I've seen this too many times to count.

Glad it was an easy one!

NM




0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Integration Management Part 2
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question