asked on

Group policies don't work unable to change passwords.

Hi there.

I have this huge problem.
We have a windows 2003 standard server in our datacentre. It is a PDC and is also running exchange. There are no other machines in this domain. I did a clean install on this server before it went to the datacentre. Only thing was that I changed the policy for password complecity. This worked fine, and I put all the users into ad with a nice simpel password for the time being.

Now that the server is in the datacentre and I'm moving clients to use this machines webmail I will also have to change the passwords to the ones provided to me by the users.

That was the momment I got the following error.

Windows cannot complete the password change for (username) because, Windows cannot find the networkpath. Verify thatthe networkpath is correct and the destination computer is not busy or turned of.

Also in the event log I have these two id's popping up.
Userenv 1058:
Windows cannot acces the file gpt.ini

(note: this weird cause the file exists in this location and the rights assigned are all in order)

Userenv 1030:
Windows cannot querry for list of group policy objects

I found a hotfix for it as descriped in KB article 842804
This could not be installed cause Sp1 is newer.
Also I found an article in this forum wich suggested I use the Dfsutil /purgemupcache.
No results whatsoever. I checked if the netlogon and sysvol share are present and have the correct rights assigned. This is the case

I also checked if there is is a Dword value (WaitForNetwork ) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
There was not so I created it. No results whatsoever. I also reinstalled Sp1. Also no Results.

Any help is appreciated.
I have 80 people with no email at this momment.

Jay_Jay70

Hi dutchgeek,

make sure you have the TCPIP helper service enabled and running

then run DCDIAG for me

Cheers!

dutchgeek

ASKER

Here you are:

Computer Name: NL01EXC001
DNS Host Name: NL01EXC001.nl.fitnessfirst.local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358
KB896422
KB896424
KB896428
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905915
KB908519
KB909520
KB910437
KB911564
KB911927
KB912919
KB913446
Q147222

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : InterNet

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 217.194.116.40
Subnet Mask. . . . . . . . : 255.255.255.240
Default Gateway. . . . . . : 217.194.116.33
Dns Servers. . . . . . . . :

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 10.85.15.8
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 10.85.15.8

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
2 NetBt transports currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.85.15.8'.

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
The redir is bound to 2 NetBt transports.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D65E0DE3-BC09-4FA7-8E91-E5E758475F78}
NetBT_Tcpip_{0E47D9D5-2B2A-44BA-A518-439E7C760890}
The browser is bound to 2 NetBt transports.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Skipped

Kerberos test. . . . . . . . . . . : Passed

LDAP test. . . . . . . . . . . . . : Passed

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Skipped

Note: run "netsh ipsec dynamic show /?" for more detailed information

The command completed successfully

dutchgeek

ASKER

Sorry that was netdiag, here is dcdiag:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\NL01EXC001
Starting test: Connectivity
......................... NL01EXC001 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\NL01EXC001
Starting test: Replications
......................... NL01EXC001 passed test Replications
Starting test: NCSecDesc
......................... NL01EXC001 passed test NCSecDesc
Starting test: NetLogons
......................... NL01EXC001 passed test NetLogons
Starting test: Advertising
......................... NL01EXC001 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NL01EXC001 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... NL01EXC001 passed test RidManager
Starting test: MachineAccount
......................... NL01EXC001 passed test MachineAccount
Starting test: Services
......................... NL01EXC001 passed test Services
Starting test: ObjectsReplicated
......................... NL01EXC001 passed test ObjectsReplicated
Starting test: frssysvol
......................... NL01EXC001 passed test frssysvol
Starting test: frsevent
......................... NL01EXC001 passed test frsevent
Starting test: kccevent
......................... NL01EXC001 passed test kccevent
Starting test: systemlog
......................... NL01EXC001 passed test systemlog
Starting test: VerifyReferences
......................... NL01EXC001 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : nl
Starting test: CrossRefValidation
......................... nl passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... nl passed test CheckSDRefDom

Running enterprise tests on : nl.fitnessfirst.local
Starting test: Intersite
......................... nl.fitnessfirst.local passed test Intersite
Starting test: FsmoCheck
......................... nl.fitnessfirst.local passed test FsmoCheck

Jay_Jay70

dutchgeek,

hmm your server looks well and healthy!

think you are going to need to reset your group policy

Dcgpofix
Gpupdate /force

dutchgeek

ASKER

Thanks a lot for your quick responses!!!!
The following happened. Do you have any sugestions?

WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied.
The restore failed. See previous messages for more details

dutchgeek

ASKER

Hey this might be it I'll try it and let you know.
https://www.experts-exchange.com/questions/21594134/Group-Policies-Access-Denied-Event-1058-Event-1030-Windows-2003.html

Jay_Jay70

i have seen those NTFS permissions go slightly askew but you mentioned above that you had already checked them so i didnt bother :)

let me know how you go

happy to help mate :)

dutchgeek

ASKER

Yeah I mentioned it but I thought what the hack check it again. Turns out I checked properly all permissions are set as described in this EE article.
Also Yesterday I installed Trend mailscan for Exchange. I just removed it but you can probably guess the outcome. No result whatsoever.

Netman66

Are you sure this server is 2003??

DNS Host Name: NL01EXC001.nl.fitnessfirst.local
System info : Windows 2000 Server (Build 3790)

dutchgeek

ASKER

Yeah this worried me aswell!! Yes I'm sure it is windows 2003 standard sp1

SOLUTION

Netman66

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dutchgeek

ASKER

I was just about to let you know that this looks as the problem. I'm rebooting now. Ichecked the binding order and than did a gpo update

Jay_Jay70

cant beleive i missed that bit of info...... apologies

dutchgeek

ASKER

Not fully working yet.
I get different error when changing PAsswords. It say it does not meet complexity requirements. This funny cause these policies are all set to not defined. Both in domain as in domaincontroller security. I'm doing the dcgpofix now and a reboot. Really hope this works let you know ASAP

Jay_Jay70

you will need to edit the default domain controller policy and turn off password complexity if you dont want it configured - looks like your problems solved though!

comp config - windows settings - security settings - password policies

disable password complexity - if you dont want it

Netman66

"you will need to edit the default domain controller policy "

Close.... :o)

The Default Domain Policy is where this comes from in the Domain. The Default DC Policy only affects the DC itself (like local group policy on a client).

Jay_Jay70

comp config - windows settings - security settings -account policies - password policies

thats what i meant to say! you can also edit this in the default domain policy

Jay_Jay70

sorry netman should have refreshed

Netman66

You're doing just fine Jay!

dutchgeek

ASKER

Mmmh solved most of it but still a problem with setting password.
I keep getting error on pasword requirements. I have set lenght to not defined and complexity to disabled. Did gpupdate /force even rebooted the system. Still I cannot change password to a simpel four letter word.
I thought this mabey had to do with the fact that did the dcgpofix so I just created a new user and tried a four letter password. Same effect. It does not meet the requirements. I'm starting to go slightly mad.

ASKER CERTIFIED SOLUTION

Jay_Jay70

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dutchgeek

ASKER

By default the domain controller policy has all options set to not defined.
I did the changes on the domain security policy.

Jay_Jay70

set those settings on the Domain controller policy to disabled

Jay_Jay70

off to bed my friend, if ya get stuck just post again and either myself or netman will help u out :)

gnite to you both!

dutchgeek

ASKER

Goodmorning Guy's sleep well?
I've got the problem fixed. I installed the gpmc from microsoft. This showed two policies for the domain. number one being linked but had a red cross in front of it. number two being the default domein policy. I removed the first one than the second ofcourse became neumber one. Than I linked it.

Furthermore I had to set minimum password lenght to 0 instead of disabled. This is really weird because I have an identical machine right next to me. Here it is just set to disable and works fine. But hee as long as it works I am not complaining!!!
Since there's two of you I will be splitting the points. 350 for Netman66 since he came up with the intial solution. 150 for Jay Jay for his quick responses and assisting answers.
Thanks a lot guy's!!!!!!!!!!

dutchgeek

ASKER

Sorry it's getting late here as well. I did the points right but I messed up the accepted and assited answer.

Netman66

Not a problem at all. Glad to help.

NM

Jay_Jay70

thankyou and no problem - cheers

Thanks Netman for picking up what i missed!

Netman66

Not here to criticize or find fault in you Jay, you did just fine. Multi-homed servers that run services are pretty fussy on what NIC they bind the services to. I've seen this too many times to count.

Glad it was an easy one!

NM