How do I fix corrupted AD user password

I have a 2003 domain with 75 users.  I recently made a password change for everyone but I have one user that when I change his password, it causes problems for him.  We are using citrix and he is able to log on citrix/TS session just fine with new password.  However, when he tries to open "my documents", which is redirected to another server location, it pops up box asking for username and password and tries to prefill the domainname\user in the username.  When he logs off session, it states that windows can't save profile.  I do have TS roaming profile to same server that my docs is redirected.  

If I change this user's password back to the old password in AD, he can log on and work fine and no error when logging off citrix session.  So the problem is with changing password.

I have tried deleting profile from TS profile location.  Did not work.  I tried turning off TS roaming profile and that did not work either.  Only thing that works is changing password back to old one.

Any ideas or fixes for this user?
kencruzanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
It's possible the password hasn't been replicated to the Domain Controllers at the other sites yet. You may want to try forcing replication from between the DC that you reset his password on and the DC that is at the location of the server that is giving you issues.
0
ChiefITCommented:
Get ahold of the users computer and navigate into

XP computers:::  Control Panel>>Users>>advanced>>managed passwords



Vista/W7 puters: Control pannel>>User accounts>>Credential Manager

and remove the stored "OLD" TS logon credentials.

Then, consider creating a TS policy to prevent from storing passwords in credential manager or managed passwords..
0
kencruzanAuthor Commented:
I have tried replicating DCs with no luck.  Still same user having the problem.  

I have gone to local computer and gone into users and don't see old TS logon credentials.  On local compuer which is not part of domain, there is just one user named "user".  That password never changed.  I did try creating new user with new password and that too gave same results.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

gurdeep1302Commented:
Hi,

Try yo enable UserEnv Log for Win XP follow article -- http://support.microsoft.com/kb/221833 AND in case of Win 7 try creating the following registry key

Value Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
Value Name: GPSvcDebugLevel
Value Type: REG_DWORD
Value Data: 30002 (hex)

Output: %windir%\debug\usermode\gpsvc.log

Post the logs might be of some help.
0
kencruzanAuthor Commented:
If you think it is due to the local user's local computer settings, why does the same thing happen when he logs on from another computer to the citrix session using his new password?  It is on the citrix session that mapped drives and such don't work.

I would think if it is some stored password on local computer it would only happen when logging into citrix on that machine.  but that is not the case.
0
CoralonCommented:
Ok, this is definitely nothing to do with the local workstation.  This is a straight permissions issue/AD issue.

First thing, check the location of his my documents.  Even though it's redirected by policy, it may not be taking effect.  To validate this, check his registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal.

Next check the NTFS permissions at the location.  Under 2003, the user must have Full Control of the directory.  Also, be sure that you remove his permissions at that location and grant them again.  This is important in case another admin deleted  his account and recreated it with the same name.  I that circumstance, you would potentially see this issue.

Lastly, check the Share permissions to make sure they were not modified.  I normally do not bother with Share permissions, I leave them at Everyone:Full (or authenticated users:full depending on the environment).  But if that is locked down, they will have issues also.

Coralon

0
kencruzanAuthor Commented:
Sorry I have not repsonded in a couple of days.  I have been trouble shooting this issue starting from scratch.  Password gets replicated to all DC's so that is not the problem.  I replaced the user's local computer with a Xenith Zero thin client which does not store credentials so that is not the problem.  
I checked to make sure my documents redirection is correct.  It is setup through GP and works for everyone in same OU.  That is not the problem.  The user must be getting correct password because they are logging into citrix with it and citrix gets the password from AD.  THey are not limited to problems with My Documents as if they go to any appication or folder with a mapped drive or stored on a different server, it will ask for their domain credentials.  No matter what they use, it will not allow them access.  Very strange but I am determined I will figure it out today....
0
CoralonCommented:
Are the share permissions corrupted?  This definitely sounds like a weird one :-)

Coralon
0
kencruzanAuthor Commented:
I was thinking share permissions too but they are all correct.  

I was going to delete the user from AD and start over but when I went through the tabs in AD, I found something strange.  This user connects via thin client not on the domain but in a remote office from server.  However when they log into citrix their credentials are on the server.  THey had the TS profile location setup under local profile and then nothing under the TS profile.  I deleted the path to the local profile.  I then logged them on citrix and while on citrix, I delete the user folder from the path that was in the local profile.  THen I logged user off and that of course saved the TS profile in the correct path.  I changed user password and now everything works great.  

Not sure why it did what it did but I got it to work finally.  
So now how do I award any points for everyone's help?  I guess I found solution but I sure appreciate everyone's help for leading me to places I would have not thought of.  let me know how to distribute.
0
kencruzanAuthor Commented:
I spoke too soon.  User logged on fine yesterday but today when logging on to citrix it takes the new password but when loginscript is running and mapping drives it stops with dos box open asking for username and password to one of the servers.  This server is DC, location of "my docs" and profile folders, and where many of the applications are installed.

If I put in username and new password, it connects fine but when logging off citrix I still get the error that profile is not being saved.  It of course ask again for username and password the next time I log on to citrix.

So now it appears to be corrupt user in AD?  or security issue?  I'm at a loss  What are my options?
0
kencruzanAuthor Commented:
notice one more thing that is strange.  When I log this user into citrix and then try going to a mapped drive or say "my documents" (redirected to another server), a login credential window pops up but it prefills the username as:   exchange\username
we do have an exchange server but its server name is exchange00.  I would think it would want just the username or the domainname\username.   Very strange
0
CoralonCommented:
I'm wondering if the domain membership of the Citrix box is off?  You should be able to safely disjoin the domain and rejoin it..  since it's obvious for some reason the credentials aren't being initially accepted.  

Is there a significant time difference between the Citrix server and the file servers?  The domain only allows for 5 minutes differentiation between the two of them before you start getting authentication issues (much more severe under Win2k8.. but still exists in Win2k3).    

Check the registry and policies for NTLM settings.. It's possible one of them is set to not use the correct authentication level?
HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel

Open in new window

 (Search technet for lmcompatibiliylevel there are a *ton* of articles on the subject.

Coralon
0
kencruzanAuthor Commented:
I can't disjoin the server until the weekend but here is what I just did which seems to work.  I create an entire new login.bat file for user mapping the needed drives.  I then loged on to citrix as that user with all GPs turned off.  I manually dissconected all mapped drives.  I then logged off, linked GP back and logged user back on.  And everything mapped correctly, no dos box poping up asking for username and password.  Everything appears working fine but I won't get my hopes up this time since same thing happened yesterday only to find it did not work this morning :)

I just assumed a bad mapping since the login script stopped and wanted credentials.
0
CoralonCommented:
That's really interesting, and I'm sure you are correct.  I don't think I've seen persistent drives hang on to the credentials, unless they were originally mapped with "use alternate credentials" :-\  

I'd say don't bother disjoining the server it this fixes it.  :-)  If it does, then you can modify your script to be more cautious..

basically something like:

if exist h: then (net use h: /d && net use h: \\server\location /persis:no) else (net use h: \\server\location /persis:no)

Open in new window


Coralon
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kencruzanAuthor Commented:
Thanks Coralon.  It indeed seems to be the mapped drives hung on old credentials.  I will add your line to the loging script.

Thanks for your help.
0
CoralonCommented:
Glad to help :-)

Coralon
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.