dutchgeek
asked on
Group policies don't work unable to change passwords.
Hi there.
I have this huge problem.
We have a windows 2003 standard server in our datacentre. It is a PDC and is also running exchange. There are no other machines in this domain. I did a clean install on this server before it went to the datacentre. Only thing was that I changed the policy for password complecity. This worked fine, and I put all the users into ad with a nice simpel password for the time being.
Now that the server is in the datacentre and I'm moving clients to use this machines webmail I will also have to change the passwords to the ones provided to me by the users.
That was the momment I got the following error.
Windows cannot complete the password change for (username) because, Windows cannot find the networkpath. Verify thatthe networkpath is correct and the destination computer is not busy or turned of.
Also in the event log I have these two id's popping up.
Userenv 1058:
Windows cannot acces the file gpt.ini
(note: this weird cause the file exists in this location and the rights assigned are all in order)
Userenv 1030:
Windows cannot querry for list of group policy objects
I found a hotfix for it as descriped in KB article 842804
This could not be installed cause Sp1 is newer.
Also I found an article in this forum wich suggested I use the Dfsutil /purgemupcache.
No results whatsoever. I checked if the netlogon and sysvol share are present and have the correct rights assigned. This is the case
I also checked if there is is a Dword value (WaitForNetwork ) in HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon
There was not so I created it. No results whatsoever. I also reinstalled Sp1. Also no Results.
Any help is appreciated.
I have 80 people with no email at this momment.
I have this huge problem.
We have a windows 2003 standard server in our datacentre. It is a PDC and is also running exchange. There are no other machines in this domain. I did a clean install on this server before it went to the datacentre. Only thing was that I changed the policy for password complecity. This worked fine, and I put all the users into ad with a nice simpel password for the time being.
Now that the server is in the datacentre and I'm moving clients to use this machines webmail I will also have to change the passwords to the ones provided to me by the users.
That was the momment I got the following error.
Windows cannot complete the password change for (username) because, Windows cannot find the networkpath. Verify thatthe networkpath is correct and the destination computer is not busy or turned of.
Also in the event log I have these two id's popping up.
Userenv 1058:
Windows cannot acces the file gpt.ini
(note: this weird cause the file exists in this location and the rights assigned are all in order)
Userenv 1030:
Windows cannot querry for list of group policy objects
I found a hotfix for it as descriped in KB article 842804
This could not be installed cause Sp1 is newer.
Also I found an article in this forum wich suggested I use the Dfsutil /purgemupcache.
No results whatsoever. I checked if the netlogon and sysvol share are present and have the correct rights assigned. This is the case
I also checked if there is is a Dword value (WaitForNetwork ) in HKEY_LOCAL_MACHINE\SOFTWAR
There was not so I created it. No results whatsoever. I also reinstalled Sp1. Also no Results.
Any help is appreciated.
I have 80 people with no email at this momment.
ASKER
Here you are:
Computer Name: NL01EXC001
DNS Host Name: NL01EXC001.nl.fitnessfirst .local
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358
KB896422
KB896424
KB896428
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905915
KB908519
KB909520
KB910437
KB911564
KB911927
KB912919
KB913446
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : InterNet
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 217.194.116.40
Subnet Mask. . . . . . . . : 255.255.255.240
Default Gateway. . . . . . : 217.194.116.33
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 10.85.15.8
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 10.85.15.8
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{0E47D9D5-2B2A -44BA-A518 -439E7C760 890}
NetBT_Tcpip_{D65E0DE3-BC09 -4FA7-8E91 -E5E758475 F78}
2 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.85.15.8'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{0E47D9D5-2B2A -44BA-A518 -439E7C760 890}
NetBT_Tcpip_{D65E0DE3-BC09 -4FA7-8E91 -E5E758475 F78}
The redir is bound to 2 NetBt transports.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D65E0DE3-BC09 -4FA7-8E91 -E5E758475 F78}
NetBT_Tcpip_{0E47D9D5-2B2A -44BA-A518 -439E7C760 890}
The browser is bound to 2 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
Computer Name: NL01EXC001
DNS Host Name: NL01EXC001.nl.fitnessfirst
System info : Windows 2000 Server (Build 3790)
Processor : x86 Family 15 Model 4 Stepping 9, GenuineIntel
List of installed hotfixes :
KB890046
KB893756
KB896358
KB896422
KB896424
KB896428
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB905414
KB905915
KB908519
KB909520
KB910437
KB911564
KB911927
KB912919
KB913446
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : InterNet
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 217.194.116.40
Subnet Mask. . . . . . . . : 255.255.255.240
Default Gateway. . . . . . : 217.194.116.33
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : NL01EXC001
IP Address . . . . . . . . : 10.85.15.8
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : 10.85.15.8
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Skipped
[WARNING] No gateways defined for this adapter.
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{0E47D9D5-2B2A
NetBT_Tcpip_{D65E0DE3-BC09
2 NetBt transports currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.85.15.8'.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{0E47D9D5-2B2A
NetBT_Tcpip_{D65E0DE3-BC09
The redir is bound to 2 NetBt transports.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{D65E0DE3-BC09
NetBT_Tcpip_{0E47D9D5-2B2A
The browser is bound to 2 NetBt transports.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
ASKER
Sorry that was netdiag, here is dcdiag:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NL 01EXC001
Starting test: Connectivity
......................... NL01EXC001 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NL 01EXC001
Starting test: Replications
......................... NL01EXC001 passed test Replications
Starting test: NCSecDesc
......................... NL01EXC001 passed test NCSecDesc
Starting test: NetLogons
......................... NL01EXC001 passed test NetLogons
Starting test: Advertising
......................... NL01EXC001 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NL01EXC001 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... NL01EXC001 passed test RidManager
Starting test: MachineAccount
......................... NL01EXC001 passed test MachineAccount
Starting test: Services
......................... NL01EXC001 passed test Services
Starting test: ObjectsReplicated
......................... NL01EXC001 passed test ObjectsReplicated
Starting test: frssysvol
......................... NL01EXC001 passed test frssysvol
Starting test: frsevent
......................... NL01EXC001 passed test frsevent
Starting test: kccevent
......................... NL01EXC001 passed test kccevent
Starting test: systemlog
......................... NL01EXC001 passed test systemlog
Starting test: VerifyReferences
......................... NL01EXC001 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : nl
Starting test: CrossRefValidation
......................... nl passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... nl passed test CheckSDRefDom
Running enterprise tests on : nl.fitnessfirst.local
Starting test: Intersite
......................... nl.fitnessfirst.local passed test Intersite
Starting test: FsmoCheck
......................... nl.fitnessfirst.local passed test FsmoCheck
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\NL
Starting test: Connectivity
......................... NL01EXC001 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\NL
Starting test: Replications
......................... NL01EXC001 passed test Replications
Starting test: NCSecDesc
......................... NL01EXC001 passed test NCSecDesc
Starting test: NetLogons
......................... NL01EXC001 passed test NetLogons
Starting test: Advertising
......................... NL01EXC001 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... NL01EXC001 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... NL01EXC001 passed test RidManager
Starting test: MachineAccount
......................... NL01EXC001 passed test MachineAccount
Starting test: Services
......................... NL01EXC001 passed test Services
Starting test: ObjectsReplicated
......................... NL01EXC001 passed test ObjectsReplicated
Starting test: frssysvol
......................... NL01EXC001 passed test frssysvol
Starting test: frsevent
......................... NL01EXC001 passed test frsevent
Starting test: kccevent
......................... NL01EXC001 passed test kccevent
Starting test: systemlog
......................... NL01EXC001 passed test systemlog
Starting test: VerifyReferences
......................... NL01EXC001 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : nl
Starting test: CrossRefValidation
......................... nl passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... nl passed test CheckSDRefDom
Running enterprise tests on : nl.fitnessfirst.local
Starting test: Intersite
......................... nl.fitnessfirst.local passed test Intersite
Starting test: FsmoCheck
......................... nl.fitnessfirst.local passed test FsmoCheck
dutchgeek,
hmm your server looks well and healthy!
think you are going to need to reset your group policy
Dcgpofix
Gpupdate /force
hmm your server looks well and healthy!
think you are going to need to reset your group policy
Dcgpofix
Gpupdate /force
ASKER
Thanks a lot for your quick responses!!!!
The following happened. Do you have any sugestions?
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied.
The restore failed. See previous messages for more details
The following happened. Do you have any sugestions?
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied.
The restore failed. See previous messages for more details
ASKER
Hey this might be it I'll try it and let you know.
https://www.experts-exchange.com/questions/21594134/Group-Policies-Access-Denied-Event-1058-Event-1030-Windows-2003.html
https://www.experts-exchange.com/questions/21594134/Group-Policies-Access-Denied-Event-1058-Event-1030-Windows-2003.html
i have seen those NTFS permissions go slightly askew but you mentioned above that you had already checked them so i didnt bother :)
let me know how you go
happy to help mate :)
let me know how you go
happy to help mate :)
ASKER
Yeah I mentioned it but I thought what the hack check it again. Turns out I checked properly all permissions are set as described in this EE article.
Also Yesterday I installed Trend mailscan for Exchange. I just removed it but you can probably guess the outcome. No result whatsoever.
Also Yesterday I installed Trend mailscan for Exchange. I just removed it but you can probably guess the outcome. No result whatsoever.
Are you sure this server is 2003??
DNS Host Name: NL01EXC001.nl.fitnessfirst .local
System info : Windows 2000 Server (Build 3790)
DNS Host Name: NL01EXC001.nl.fitnessfirst
System info : Windows 2000 Server (Build 3790)
ASKER
Yeah this worried me aswell!! Yes I'm sure it is windows 2003 standard sp1
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was just about to let you know that this looks as the problem. I'm rebooting now. Ichecked the binding order and than did a gpo update
cant beleive i missed that bit of info...... apologies
ASKER
Not fully working yet.
I get different error when changing PAsswords. It say it does not meet complexity requirements. This funny cause these policies are all set to not defined. Both in domain as in domaincontroller security. I'm doing the dcgpofix now and a reboot. Really hope this works let you know ASAP
I get different error when changing PAsswords. It say it does not meet complexity requirements. This funny cause these policies are all set to not defined. Both in domain as in domaincontroller security. I'm doing the dcgpofix now and a reboot. Really hope this works let you know ASAP
you will need to edit the default domain controller policy and turn off password complexity if you dont want it configured - looks like your problems solved though!
comp config - windows settings - security settings - password policies
disable password complexity - if you dont want it
comp config - windows settings - security settings - password policies
disable password complexity - if you dont want it
"you will need to edit the default domain controller policy "
Close.... :o)
The Default Domain Policy is where this comes from in the Domain. The Default DC Policy only affects the DC itself (like local group policy on a client).
Close.... :o)
The Default Domain Policy is where this comes from in the Domain. The Default DC Policy only affects the DC itself (like local group policy on a client).
comp config - windows settings - security settings -account policies - password policies
thats what i meant to say! you can also edit this in the default domain policy
thats what i meant to say! you can also edit this in the default domain policy
sorry netman should have refreshed
You're doing just fine Jay!
ASKER
Mmmh solved most of it but still a problem with setting password.
I keep getting error on pasword requirements. I have set lenght to not defined and complexity to disabled. Did gpupdate /force even rebooted the system. Still I cannot change password to a simpel four letter word.
I thought this mabey had to do with the fact that did the dcgpofix so I just created a new user and tried a four letter password. Same effect. It does not meet the requirements. I'm starting to go slightly mad.
I keep getting error on pasword requirements. I have set lenght to not defined and complexity to disabled. Did gpupdate /force even rebooted the system. Still I cannot change password to a simpel four letter word.
I thought this mabey had to do with the fact that did the dcgpofix so I just created a new user and tried a four letter password. Same effect. It does not meet the requirements. I'm starting to go slightly mad.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By default the domain controller policy has all options set to not defined.
I did the changes on the domain security policy.
I did the changes on the domain security policy.
set those settings on the Domain controller policy to disabled
off to bed my friend, if ya get stuck just post again and either myself or netman will help u out :)
gnite to you both!
gnite to you both!
ASKER
Goodmorning Guy's sleep well?
I've got the problem fixed. I installed the gpmc from microsoft. This showed two policies for the domain. number one being linked but had a red cross in front of it. number two being the default domein policy. I removed the first one than the second ofcourse became neumber one. Than I linked it.
Furthermore I had to set minimum password lenght to 0 instead of disabled. This is really weird because I have an identical machine right next to me. Here it is just set to disable and works fine. But hee as long as it works I am not complaining!!!
Since there's two of you I will be splitting the points. 350 for Netman66 since he came up with the intial solution. 150 for Jay Jay for his quick responses and assisting answers.
Thanks a lot guy's!!!!!!!!!!
I've got the problem fixed. I installed the gpmc from microsoft. This showed two policies for the domain. number one being linked but had a red cross in front of it. number two being the default domein policy. I removed the first one than the second ofcourse became neumber one. Than I linked it.
Furthermore I had to set minimum password lenght to 0 instead of disabled. This is really weird because I have an identical machine right next to me. Here it is just set to disable and works fine. But hee as long as it works I am not complaining!!!
Since there's two of you I will be splitting the points. 350 for Netman66 since he came up with the intial solution. 150 for Jay Jay for his quick responses and assisting answers.
Thanks a lot guy's!!!!!!!!!!
ASKER
Sorry it's getting late here as well. I did the points right but I messed up the accepted and assited answer.
Not a problem at all. Glad to help.
NM
NM
thankyou and no problem - cheers
Thanks Netman for picking up what i missed!
Thanks Netman for picking up what i missed!
Not here to criticize or find fault in you Jay, you did just fine. Multi-homed servers that run services are pretty fussy on what NIC they bind the services to. I've seen this too many times to count.
Glad it was an easy one!
NM
Glad it was an easy one!
NM
make sure you have the TCPIP helper service enabled and running
then run DCDIAG for me
Cheers!