Robert Hatcher
asked on
Unable to (as domain user) to change password and then login
I have a 2012 R2 based Domain. We now are using 2012R2 server as clients. All functions are maintained through GPO. Everything is working up to recently. If a domain user with RDP access attempts needs his password reset then either the administrator or a domain admin resets him and provides the temporary password. That domain user then logs in and as soon as he makes the change to his password the GUI goes away. He then attempts to log in again with the NEW password and it rejects it. This is repeatable. Some initial troubleshooting pointed towards some Windows patches could cause this. I took some steps in removing these patches and nothing changed. I re-installed the patches.
We have 2400 local site personnel that use these devices locally. We have 100 "super" ETs that log in to these 2012 R2 clients and help the local site personnel or remotely fix something. So again everything works except if someone forgets their password.
If I (as admin) log in from my desktop (Windows 7) I reset the password for one of these accounts. I then login to the client 2012 R2 and make a new password it then switches over to the normal login and the new password works. SO this problem only occurs if originated from the 2012 R2 client. Help!?
We have 2400 local site personnel that use these devices locally. We have 100 "super" ETs that log in to these 2012 R2 clients and help the local site personnel or remotely fix something. So again everything works except if someone forgets their password.
If I (as admin) log in from my desktop (Windows 7) I reset the password for one of these accounts. I then login to the client 2012 R2 and make a new password it then switches over to the normal login and the new password works. SO this problem only occurs if originated from the 2012 R2 client. Help!?
ASKER
2 domain controllers
2 in Sites and Service
Not a clue what the timing is. If I make a manual change to GPO or Active Directory I can jump over to the other system and it is already updated.
I left one detail out. (Sorry) We are painfully and slowly changing all 300 sites over from Windows XP clients to Windows 2012 R2 clients. The Windows XP work fine.
2 in Sites and Service
Not a clue what the timing is. If I make a manual change to GPO or Active Directory I can jump over to the other system and it is already updated.
I left one detail out. (Sorry) We are painfully and slowly changing all 300 sites over from Windows XP clients to Windows 2012 R2 clients. The Windows XP work fine.
Some questions for clarification:
Sites = Locations? As in different buildings?
2012 R2 Clients = Remote Desktop Services running Session Host(s)?
On the 2012 R2 Client where the post password change log on attempt fails what does the Security Event Log say? There should be an AUDIT FAILURE notice in there.
Sites = Locations? As in different buildings?
2012 R2 Clients = Remote Desktop Services running Session Host(s)?
On the 2012 R2 Client where the post password change log on attempt fails what does the Security Event Log say? There should be an AUDIT FAILURE notice in there.
ASKER
Yes. All client PCs are spread around the US. Approximately 300 clients. All under a firewall. We have a setup in our lab using the exact same setup as the field and also under a firewall. We have approx. 100 domain users to handle these sites as tier 2 people. Most of the sites are still Windows XP based and the domain users can RDP into the client PC and do his work. On occasions the user forgets his password so domain admins or myself reset his password and he makes a new one and life goes on. 60 sites so far have the 2012 R2 based client servers and as of a month ago the password reset stopped working as previously explained.
So I am looking for audit failures on the client. I am getting "Sensitive Privilege Use" Event ID: 4674.
So I am looking for audit failures on the client. I am getting "Sensitive Privilege Use" Event ID: 4674.
Is this the correct description for 4674?
Since the problem started a month ago what changed? Was there a patch or patches applied at that time?
Since the problem started a month ago what changed? Was there a patch or patches applied at that time?
ASKER
Sorry for the delays in responding. I checked and all replication is working correctly. Yes there were patches and trying to backtrack and determine which one is possibly the culprit is tricky. Finally now I am unable to find the Event ID using either the 4674 number of the "Sensitive Privilege Use" phrase. I am somewhat flummoxed right now. I am still recovering from mega cold or the flu or whatever knocked me down for several days and I have a several issues on my plate and could use some essential advice to get me re-focused sir of what to check next.
Could you post a sanitized version of the output from one of the 2012 R2 hosts please?
Elevated PowerShell:
Elevated PowerShell:
Get-WindowsFeature | where {$_.installed -eq $true} | select DisplayName, Name, Installed
I suggest running this in C:\Temp.
ASKER
Please note I did this PS file on several clients and all had the exact same result.
Please see attached.
Please see attached.
ASKER
I don't see the attachment so her eit is again as text
PS C:\temp> Get-WindowsFeature | where {$_.installed -eq $true} | select DisplayName, Name, Installed
DisplayName Name Installed
----------- ---- ---------
File and Storage Services FileAndStorage-Services True
Storage Services Storage-Services True
.NET Framework 3.5 Features NET-Framework-Features True
.NET Framework 3.5 (includes .NET 2.0 and 3.0) NET-Framework-Core True
.NET Framework 4.5 Features NET-Framework-45-Features True
.NET Framework 4.5 NET-Framework-45-Core True
WCF Services NET-WCF-Services45 True
TCP Port Sharing NET-WCF-TCP-PortSharing45 True
Ink and Handwriting Services InkAndHandwritingServices True
Media Foundation Server-Media-Foundation True
Remote Assistance Remote-Assistance True
Remote Server Administration Tools RSAT True
Feature Administration Tools RSAT-Feature-Tools True
SNMP Tools RSAT-SNMP True
SMB 1.0/CIFS File Sharing Support FS-SMB1 True
SNMP Service SNMP-Service True
SNMP WMI Provider SNMP-WMI-Provider True
User Interfaces and Infrastructure User-Interfaces-Infra True
Graphical Management Tools and Infrastructure Server-Gui-Mgmt-Infra True
Desktop Experience Desktop-Experience True
Server Graphical Shell Server-Gui-Shell True
Windows PowerShell PowerShellRoot True
Windows PowerShell 4.0 PowerShell True
Windows PowerShell 2.0 Engine PowerShell-V2 True
Windows PowerShell ISE PowerShell-ISE True
Windows Server Backup Windows-Server-Backup True
WoW64 Support WoW64-Support True
That looks reasonable. I wanted to make sure there was nothing errant in there.
Is there an A/V client on the 2012 R2 hosts that is not on the older systems?
Is there an A/V client on the 2012 R2 hosts that is not on the older systems?
ASKER
All clients, member servers and the Domains use the same level Symantec Endpoint 12.1. A System Admin handles all of the A/V.
ASKER
Philip,
Is there any thing else besides replication that could cause this issue. I still think it is permissions. I really need to get this fixed sir.
Is there any thing else besides replication that could cause this issue. I still think it is permissions. I really need to get this fixed sir.
Apologies ... I'm in Redmond, WA for Microsoft MVP Summit so timing has been tight with little to spare.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How many Sites in Sites & Services?
What's the replication timing set up between DCs/Sites?
It sounds more like the DCs are not replicating the change through right away.
Depending on replication topology, I suspect that a changed password could take 15 minutes or more to replicate.
Now, if the ET changes the password on a DC local to the user that their system is authenticating to then it should be instant.