Troubleshooting

The information below is intended for administrators who are responsible for troubleshooting Specops Password Policy. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Policy.

Common Issues

The custom message is not displayed when failing to meet the password rules

Possible cause

The MS filter is blocking the password

Possible solution

After you’ve ensured that the new password meets at least the default domain policy, confirm whether a fine-grained password policy (FGPP) is in place. FGPPs can be found in the Password Settings Container. Delete any FGPP to ensure that the domain policy is applied, and verify that the custom message appears as expected.

The Sentinel appears as “not installed” on the DC even though it has been installed.

Possible cause

If the account you are logged in with doesn’t have access to the admin$ share on the DC then you will get the “not Installed” message.

Possible solution

You need to be logged in with a Domain Admin level account to connect to this share. The Admin Tool checks for the existence of the file.

To ensure that the file is running, use Process Explorer (SysInternals/Microsoft tool https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx). The file will appear under LSASS.EXE in one of the threads.

“The system cannot find the path specified” error in the eventlog

Possible cause

Specops Password Policy and Specops Password Reset leverage the same Client. In this case, the Client is looking for SPR.ini in the Specops Password Reset product.

Possible solution

If you are not using Specops Password Reset, this message can be safely ignored.

User does not receive the Specops message when they enter a password that does not meet complexity requirement

Possible cause

  • The password does not meet Microsoft’s default password complexity requirements.
  • The Specops Client is not installed.

Possible solution

  • Ensure that the password has met Microsoft’s password complexity requirements.
  • Ensure that the Specops Client is installed.

“Invalid License File” error in the Domain Administration Tool

Possible cause

  • Version mismatch between Administration Tool and license key.

Possible solution

  • Contact Specops Support for correct license file version.

User is unable to meet the policy requirements and cannot change password

Possible cause

There may a problem with the dictionary file.

Possible solution

  1. In the Group Policy Editor, expand User Configuration, Windows Settings, and select Specops Password policy.
  2. Click Configure Password Policy.
  3. Select the Password Rules tab.
  4. Disable the Disallow words from dictionary checkbox.

Cannot view the sentinel state in the domain administration tool

Possible cause

The person running the tool is unable to connect to the admin share on the DC’s.

Possible solution

Ensure that the user running the Domain Administration Tool has the appropriate rights to monitor the status.

Event Logging

The Specops Password Policy components log their operations to the application log event log.

Sentinel events

Event typeIDDescription
Information100Initializing...
Logged when the Specops Sentinel is starting.
Information101Successfully initialized version X.X.X.X.
Logged when the Specops Sentinel has successfully started.
Information102Successful password change.
Information103Successful password reset.
Information104Verbose logging enabled.
Information105Verbose logging disabled.
Information106Started processing password expiration email notifications.
Information107Information about expiration email notifications.
Information108A user account was automatically unlocked.
Information109Minor information notices.
Information110User not found.
Master key not found when storing or loading encrypted passwords.
Warning202Failed password change.
Warning203Failed password reset.
Warning209Minor warning notices.
Warning244Problems detected when processing encrypted password data.
Error300Initialization failed. Logged if the Specops Sentinel component failed to start.
Error301An error occurred during the password change/reset process.
Error302General exception occurred in the filter or notifier.
Information600Sentinel Password Filter loaded.
Information650Periodic job will not be performed, since this DC is not the PDC emulator.
Information677User has breached password, will not be enforced to change at next logon.
Information678User has breached password, will be enforced to change at next logon.
Information681User has breached password, request to notify user enqueued to Sentinel Service.

Debug logging

You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry KeyDescription
HKLM\Software\Specopssoft\Specops
Password Policy\Filter\Debug
Enables debug logging for the sentinel component.
Default value = 0 (set to 1 to enable logging)
The default log path is:
%WINDIR%\Debug\SPP3FLT [LSASS].log
HKLM\Software\Specopssoft\Specops
Password
Policy\Administration\Debug
Enables debug logging for the GPMC snap-in and the
Domain Administration tool.
Default value = 0 (set to 1 to enable logging)
The default log paths are:
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicy2GpmcSnapIn.log
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicyDomainAdministration.log
HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter\LoggingEnables debug logging for the arbiter component. Default value = 0 (set to 1 to enable logging). The default log path is: %windir%\ServiceProfiles\NetworkService\AppData\
Local\Specopssoft\SpecopsPasswordArbiter.log

Note: Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.