kencruzan
asked on
How do I fix corrupted AD user password
I have a 2003 domain with 75 users. I recently made a password change for everyone but I have one user that when I change his password, it causes problems for him. We are using citrix and he is able to log on citrix/TS session just fine with new password. However, when he tries to open "my documents", which is redirected to another server location, it pops up box asking for username and password and tries to prefill the domainname\user in the username. When he logs off session, it states that windows can't save profile. I do have TS roaming profile to same server that my docs is redirected.
If I change this user's password back to the old password in AD, he can log on and work fine and no error when logging off citrix session. So the problem is with changing password.
I have tried deleting profile from TS profile location. Did not work. I tried turning off TS roaming profile and that did not work either. Only thing that works is changing password back to old one.
Any ideas or fixes for this user?
If I change this user's password back to the old password in AD, he can log on and work fine and no error when logging off citrix session. So the problem is with changing password.
I have tried deleting profile from TS profile location. Did not work. I tried turning off TS roaming profile and that did not work either. Only thing that works is changing password back to old one.
Any ideas or fixes for this user?
Adam Brown
It's possible the password hasn't been replicated to the Domain Controllers at the other sites yet. You may want to try forcing replication from between the DC that you reset his password on and the DC that is at the location of the server that is giving you issues.
Get ahold of the users computer and navigate into
XP computers::: Control Panel>>Users>>advanced>>ma
Vista/W7 puters: Control pannel>>User accounts>>Credential Manager
and remove the stored "OLD" TS logon credentials.
Then, consider creating a TS policy to prevent from storing passwords in credential manager or managed passwords..
XP computers::: Control Panel>>Users>>advanced>>ma
Vista/W7 puters: Control pannel>>User accounts>>Credential Manager
and remove the stored "OLD" TS logon credentials.
Then, consider creating a TS policy to prevent from storing passwords in credential manager or managed passwords..
ASKER
I have tried replicating DCs with no luck. Still same user having the problem.
I have gone to local computer and gone into users and don't see old TS logon credentials. On local compuer which is not part of domain, there is just one user named "user". That password never changed. I did try creating new user with new password and that too gave same results.
I have gone to local computer and gone into users and don't see old TS logon credentials. On local compuer which is not part of domain, there is just one user named "user". That password never changed. I did try creating new user with new password and that too gave same results.
Hi,
Try yo enable UserEnv Log for Win XP follow article -- http://support.microsoft.com/kb/221833 AND in case of Win 7 try creating the following registry key
Value Path: HKLM\SOFTWARE\Microsoft\Wi
Value Name: GPSvcDebugLevel
Value Type: REG_DWORD
Value Data: 30002 (hex)
Output: %windir%\debug\usermode\gp
Post the logs might be of some help.
Try yo enable UserEnv Log for Win XP follow article -- http://support.microsoft.com/kb/221833 AND in case of Win 7 try creating the following registry key
Value Path: HKLM\SOFTWARE\Microsoft\Wi
Value Name: GPSvcDebugLevel
Value Type: REG_DWORD
Value Data: 30002 (hex)
Output: %windir%\debug\usermode\gp
Post the logs might be of some help.
ASKER
If you think it is due to the local user's local computer settings, why does the same thing happen when he logs on from another computer to the citrix session using his new password? It is on the citrix session that mapped drives and such don't work.
I would think if it is some stored password on local computer it would only happen when logging into citrix on that machine. but that is not the case.
I would think if it is some stored password on local computer it would only happen when logging into citrix on that machine. but that is not the case.
Ok, this is definitely nothing to do with the local workstation. This is a straight permissions issue/AD issue.
First thing, check the location of his my documents. Even though it's redirected by policy, it may not be taking effect. To validate this, check his registry key at HKCU\Software\Microsoft\Wi
Next check the NTFS permissions at the location. Under 2003, the user must have Full Control of the directory. Also, be sure that you remove his permissions at that location and grant them again. This is important in case another admin deleted his account and recreated it with the same name. I that circumstance, you would potentially see this issue.
Lastly, check the Share permissions to make sure they were not modified. I normally do not bother with Share permissions, I leave them at Everyone:Full (or authenticated users:full depending on the environment). But if that is locked down, they will have issues also.
Coralon
First thing, check the location of his my documents. Even though it's redirected by policy, it may not be taking effect. To validate this, check his registry key at HKCU\Software\Microsoft\Wi
Next check the NTFS permissions at the location. Under 2003, the user must have Full Control of the directory. Also, be sure that you remove his permissions at that location and grant them again. This is important in case another admin deleted his account and recreated it with the same name. I that circumstance, you would potentially see this issue.
Lastly, check the Share permissions to make sure they were not modified. I normally do not bother with Share permissions, I leave them at Everyone:Full (or authenticated users:full depending on the environment). But if that is locked down, they will have issues also.
Coralon
ASKER
Sorry I have not repsonded in a couple of days. I have been trouble shooting this issue starting from scratch. Password gets replicated to all DC's so that is not the problem. I replaced the user's local computer with a Xenith Zero thin client which does not store credentials so that is not the problem.
I checked to make sure my documents redirection is correct. It is setup through GP and works for everyone in same OU. That is not the problem. The user must be getting correct password because they are logging into citrix with it and citrix gets the password from AD. THey are not limited to problems with My Documents as if they go to any appication or folder with a mapped drive or stored on a different server, it will ask for their domain credentials. No matter what they use, it will not allow them access. Very strange but I am determined I will figure it out today....
I checked to make sure my documents redirection is correct. It is setup through GP and works for everyone in same OU. That is not the problem. The user must be getting correct password because they are logging into citrix with it and citrix gets the password from AD. THey are not limited to problems with My Documents as if they go to any appication or folder with a mapped drive or stored on a different server, it will ask for their domain credentials. No matter what they use, it will not allow them access. Very strange but I am determined I will figure it out today....
Are the share permissions corrupted? This definitely sounds like a weird one :-)
Coralon
Coralon
ASKER
I was thinking share permissions too but they are all correct.
I was going to delete the user from AD and start over but when I went through the tabs in AD, I found something strange. This user connects via thin client not on the domain but in a remote office from server. However when they log into citrix their credentials are on the server. THey had the TS profile location setup under local profile and then nothing under the TS profile. I deleted the path to the local profile. I then logged them on citrix and while on citrix, I delete the user folder from the path that was in the local profile. THen I logged user off and that of course saved the TS profile in the correct path. I changed user password and now everything works great.
Not sure why it did what it did but I got it to work finally.
So now how do I award any points for everyone's help? I guess I found solution but I sure appreciate everyone's help for leading me to places I would have not thought of. let me know how to distribute.
I was going to delete the user from AD and start over but when I went through the tabs in AD, I found something strange. This user connects via thin client not on the domain but in a remote office from server. However when they log into citrix their credentials are on the server. THey had the TS profile location setup under local profile and then nothing under the TS profile. I deleted the path to the local profile. I then logged them on citrix and while on citrix, I delete the user folder from the path that was in the local profile. THen I logged user off and that of course saved the TS profile in the correct path. I changed user password and now everything works great.
Not sure why it did what it did but I got it to work finally.
So now how do I award any points for everyone's help? I guess I found solution but I sure appreciate everyone's help for leading me to places I would have not thought of. let me know how to distribute.
ASKER
I spoke too soon. User logged on fine yesterday but today when logging on to citrix it takes the new password but when loginscript is running and mapping drives it stops with dos box open asking for username and password to one of the servers. This server is DC, location of "my docs" and profile folders, and where many of the applications are installed.
If I put in username and new password, it connects fine but when logging off citrix I still get the error that profile is not being saved. It of course ask again for username and password the next time I log on to citrix.
So now it appears to be corrupt user in AD? or security issue? I'm at a loss What are my options?
If I put in username and new password, it connects fine but when logging off citrix I still get the error that profile is not being saved. It of course ask again for username and password the next time I log on to citrix.
So now it appears to be corrupt user in AD? or security issue? I'm at a loss What are my options?
ASKER
notice one more thing that is strange. When I log this user into citrix and then try going to a mapped drive or say "my documents" (redirected to another server), a login credential window pops up but it prefills the username as: exchange\username
we do have an exchange server but its server name is exchange00. I would think it would want just the username or the domainname\username. Very strange
we do have an exchange server but its server name is exchange00. I would think it would want just the username or the domainname\username. Very strange
I'm wondering if the domain membership of the Citrix box is off? You should be able to safely disjoin the domain and rejoin it.. since it's obvious for some reason the credentials aren't being initially accepted.
Is there a significant time difference between the Citrix server and the file servers? The domain only allows for 5 minutes differentiation between the two of them before you start getting authentication issues (much more severe under Win2k8.. but still exists in Win2k3).
Check the registry and policies for NTLM settings.. It's possible one of them is set to not use the correct authentication level?
Coralon
Is there a significant time difference between the Citrix server and the file servers? The domain only allows for 5 minutes differentiation between the two of them before you start getting authentication issues (much more severe under Win2k8.. but still exists in Win2k3).
Check the registry and policies for NTLM settings.. It's possible one of them is set to not use the correct authentication level?
HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevelCoralon
ASKER
I can't disjoin the server until the weekend but here is what I just did which seems to work. I create an entire new login.bat file for user mapping the needed drives. I then loged on to citrix as that user with all GPs turned off. I manually dissconected all mapped drives. I then logged off, linked GP back and logged user back on. And everything mapped correctly, no dos box poping up asking for username and password. Everything appears working fine but I won't get my hopes up this time since same thing happened yesterday only to find it did not work this morning :)
I just assumed a bad mapping since the login script stopped and wanted credentials.
I just assumed a bad mapping since the login script stopped and wanted credentials.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Coralon. It indeed seems to be the mapped drives hung on old credentials. I will add your line to the loging script.
Thanks for your help.
Thanks for your help.
Glad to help :-)
Coralon
Coralon