Group policies don't work unable to change passwords.

Hi there.

I have this huge problem.
We have a windows 2003 standard server in our datacentre. It is a PDC and is also running exchange. There are no other machines in this domain. I did a clean install on this server before it went to the datacentre. Only thing was that I changed the policy for password complecity. This worked fine, and I put all the users into ad with a nice simpel password for the time being.

Now that the server is in the datacentre and I'm moving clients to use this machines webmail I will also have to change the passwords to the ones provided to me by the users.

That was the momment I got the following error.

Windows cannot complete the password change for (username) because, Windows cannot find the networkpath. Verify thatthe networkpath is correct and the destination computer is not busy or turned of.

Also in the event log I have these two id's popping up.
Userenv 1058:
Windows cannot acces the file gpt.ini

(note: this weird cause the file exists in this location and the rights assigned are all in order)

Userenv 1030:
Windows cannot querry for list of group policy objects

I found a hotfix for it as descriped in KB article 842804
This could not be installed cause Sp1 is newer.
Also I found an article in this forum wich suggested I use the Dfsutil /purgemupcache.
No results whatsoever. I checked if the netlogon and sysvol share are present and have the correct rights assigned. This is the case

I also checked if there is is a Dword value (WaitForNetwork ) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
There was not so I created it. No results whatsoever. I also reinstalled Sp1. Also no Results.

Any help is appreciated.
I have 80 people with no email at this momment.


dutchgeekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi dutchgeek,

make sure you have the TCPIP helper service enabled and running

then run DCDIAG for me

Cheers!
dutchgeekAuthor Commented:
Here you are:

    Computer Name: NL01EXC001
    DNS Host Name: NL01EXC001.nl.fitnessfirst.local
    System info : Windows 2000 Server (Build 3790)
    Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
    List of installed hotfixes :
        KB890046
        KB893756
        KB896358
        KB896422
        KB896424
        KB896428
        KB899587
        KB899588
        KB899589
        KB899591
        KB900725
        KB901017
        KB901214
        KB902400
        KB904706
        KB905414
        KB905915
        KB908519
        KB909520
        KB910437
        KB911564
        KB911927
        KB912919
        KB913446
        Q147222


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : InterNet

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : NL01EXC001
        IP Address . . . . . . . . : 217.194.116.40
        Subnet Mask. . . . . . . . : 255.255.255.240
        Default Gateway. . . . . . : 217.194.116.33
        Dns Servers. . . . . . . . :

        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : NL01EXC001
        IP Address . . . . . . . . : 10.85.15.8
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . :
        Dns Servers. . . . . . . . : 10.85.15.8


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Skipped
            [WARNING] No gateways defined for this adapter.

        NetBT name test. . . . . . : Passed
        [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
    2 NetBt transports currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '10.85.15.8'.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
    The redir is bound to 2 NetBt transports.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
        NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
    The browser is bound to 2 NetBt transports.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information


The command completed successfully
dutchgeekAuthor Commented:
Sorry that was netdiag, here is dcdiag:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\NL01EXC001
      Starting test: Connectivity
         ......................... NL01EXC001 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\NL01EXC001
      Starting test: Replications
         ......................... NL01EXC001 passed test Replications
      Starting test: NCSecDesc
         ......................... NL01EXC001 passed test NCSecDesc
      Starting test: NetLogons
         ......................... NL01EXC001 passed test NetLogons
      Starting test: Advertising
         ......................... NL01EXC001 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NL01EXC001 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NL01EXC001 passed test RidManager
      Starting test: MachineAccount
         ......................... NL01EXC001 passed test MachineAccount
      Starting test: Services
         ......................... NL01EXC001 passed test Services
      Starting test: ObjectsReplicated
         ......................... NL01EXC001 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NL01EXC001 passed test frssysvol
      Starting test: frsevent
         ......................... NL01EXC001 passed test frsevent
      Starting test: kccevent
         ......................... NL01EXC001 passed test kccevent
      Starting test: systemlog
         ......................... NL01EXC001 passed test systemlog
      Starting test: VerifyReferences
         ......................... NL01EXC001 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : nl
      Starting test: CrossRefValidation
         ......................... nl passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nl passed test CheckSDRefDom
   
   Running enterprise tests on : nl.fitnessfirst.local
      Starting test: Intersite
         ......................... nl.fitnessfirst.local passed test Intersite
      Starting test: FsmoCheck
         ......................... nl.fitnessfirst.local passed test FsmoCheck
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Jay_Jay70Commented:
dutchgeek,

hmm your server looks well and healthy!

think you are going to need to reset your group policy

Dcgpofix
Gpupdate /force
dutchgeekAuthor Commented:
Thanks a lot for your quick responses!!!!
The following happened. Do you have any sugestions?

WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
 The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied.
The restore failed.  See previous messages for more details
dutchgeekAuthor Commented:
Jay_Jay70Commented:
i have seen those NTFS permissions go slightly askew but you mentioned above that you had already checked them so i didnt bother :)

let me know how you go  

happy to help mate :)
dutchgeekAuthor Commented:
Yeah I mentioned it but I thought what the hack check it again. Turns out I checked properly all permissions are set as described in this EE article.
Also Yesterday I installed Trend mailscan for Exchange. I just removed it but you can probably guess the outcome. No result whatsoever.
Netman66Commented:
Are you sure this server is 2003??

DNS Host Name: NL01EXC001.nl.fitnessfirst.local
    System info : Windows 2000 Server (Build 3790)

dutchgeekAuthor Commented:
Yeah this worried me aswell!! Yes I'm sure it is windows 2003 standard sp1
Netman66Commented:
Check the binding order of your NICs.  The internal (private addressing) needs to be at the top.
All services such as DNS and/or DHCP need to be listening only on the internal IP address.
Make sure to disable the following on the external NIC:

Client for MS Networks
File and Print Sharing
NetBIOS over TCP/IP (on the WINS tab from Advanced properties of TCP/IP)
Uncheck all option on the DNS tab to register in DNS.

dutchgeekAuthor Commented:
I was just about to let you know that this looks as the problem. I'm rebooting now. Ichecked the binding order and than did a gpo update
Jay_Jay70Commented:
cant beleive i missed that bit of info...... apologies
dutchgeekAuthor Commented:
Not fully working yet.
I get different error when changing PAsswords. It say it does not meet complexity requirements. This funny cause these policies are all set to not defined. Both in domain as in domaincontroller security. I'm doing the dcgpofix now and a reboot. Really hope this works let you know ASAP
Jay_Jay70Commented:
you will need to edit the default domain controller policy and turn off password complexity if you dont want it configured - looks like your problems solved though!

comp config - windows settings - security settings - password policies

disable password complexity - if you dont want it
Netman66Commented:
"you will need to edit the default domain controller policy "

Close.... :o)

The Default Domain Policy is where this comes from in the Domain.  The Default DC Policy only affects the DC itself (like local group policy on a client).

Jay_Jay70Commented:
comp config - windows settings - security settings -account policies - password policies

thats what i meant to say!   you can also edit this in the default domain policy
Jay_Jay70Commented:
sorry netman should have refreshed    
Netman66Commented:
You're doing just fine Jay!

dutchgeekAuthor Commented:
Mmmh solved most of it but still a problem with setting password.
I keep getting error on pasword requirements. I have set lenght to not defined and complexity to disabled. Did gpupdate /force even rebooted the system. Still I cannot change password to a simpel four letter word.
I thought this mabey had to do with the fact that did the dcgpofix so I just created a new user and tried a four letter password. Same effect. It does not meet the requirements. I'm starting to go slightly mad.
Jay_Jay70Commented:
did you do this on the default domain policy (got it this time!) or the default domain controller policy - have seen it need to be done on both for some reason

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dutchgeekAuthor Commented:
By default the domain controller policy has all options set to not defined.
I did the changes on the domain security policy.
Jay_Jay70Commented:
set those settings on the Domain controller policy to disabled
Jay_Jay70Commented:
off to bed my friend, if ya get stuck just post again and either myself or netman will help u out :)

gnite to you both!
dutchgeekAuthor Commented:
Goodmorning Guy's sleep well?
I've got the problem fixed. I installed the gpmc from microsoft. This showed two policies for the domain. number one being linked but had a red cross in front of it. number two being the default domein policy. I removed the first one than the second ofcourse became neumber one. Than I linked it.

Furthermore I had to set minimum password lenght to 0 instead of disabled. This is really weird because I have an identical machine right next to me. Here it is just set to disable and works fine. But hee as long as it works I am not complaining!!!
Since there's two of you I will be splitting the points. 350 for Netman66 since he came up with the intial solution. 150 for Jay Jay for his quick responses and assisting answers.
Thanks a lot guy's!!!!!!!!!!
dutchgeekAuthor Commented:
Sorry it's getting late here as well. I did the points right but I messed up the accepted and assited answer.
Netman66Commented:
Not a problem at all.  Glad to help.

NM
Jay_Jay70Commented:
thankyou and no problem - cheers

Thanks Netman for picking up what i missed!
Netman66Commented:
Not here to criticize or find fault in you Jay, you did just fine.  Multi-homed servers that run services are pretty fussy on what NIC they bind the services to.  I've seen this too many times to count.

Glad it was an easy one!

NM




It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.