The information below is intended for administrators who are responsible for troubleshooting Specops Password Policy. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Policy.
The custom message is not displayed when failing to meet the password rules
The MS filter is blocking the password
After you’ve ensured that the new password meets at least the default domain policy, confirm whether a fine-grained password policy (FGPP) is in place. FGPPs can be found in the Password Settings Container. Delete any FGPP to ensure that the domain policy is applied, and verify that the custom message appears as expected.
The Sentinel appears as “not installed” on the DC even though it has been installed.
If the account you are logged in with doesn’t have access to the admin$ share on the DC then you will get the “not Installed” message.
You need to be logged in with a Domain Admin level account to connect to this share. The Admin Tool checks for the existence of the file.
To ensure that the file is running, use Process Explorer (SysInternals/Microsoft tool https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx). The file will appear under LSASS.EXE in one of the threads.
Specops Password Policy and Specops Password Reset leverage the same Client. In this case, the Client is looking for SPR.ini in the Specops Password Reset product.
If you are not using Specops Password Reset, this message can be safely ignored.
User does not receive the Specops message when they enter a password that does not meet complexity requirement
- The password does not meet Microsoft’s default password complexity requirements.
- The Specops Client is not installed.
- Ensure that the password has met Microsoft’s password complexity requirements.
- Ensure that the Specops Client is installed.
- Version mismatch between Administration Tool and license key.
- Contact Specops Support for correct license file version.
There may a problem with the dictionary file.
- In the Group Policy Editor, expand User Configuration, Windows Settings, and select Specops Password policy.
- Click Configure Password Policy.
- Select the Password Rules tab.
- Disable the Disallow words from dictionary checkbox.
The person running the tool is unable to connect to the admin share on the DC’s.
Ensure that the user running the Domain Administration Tool has the appropriate rights to monitor the status.
The Specops Password Policy components log their operations to the application log event log.
Logged when the Specops Sentinel is starting.
|Information||101||Successfully initialized version X.X.X.X. |
Logged when the Specops Sentinel has successfully started.
|Information||102||Successful password change.|
|Information||103||Successful password reset.|
|Information||104||Verbose logging enabled.|
|Information||105||Verbose logging disabled.|
|Information||106||Started processing password expiration email notifications.|
|Information||107||Information about expiration email notifications.|
|Information||108||A user account was automatically unlocked.|
|Information||109||Minor information notices.|
|Information||110||User not found. |
Master key not found when storing or loading encrypted passwords.
|Warning||202||Failed password change.|
|Warning||203||Failed password reset.|
|Warning||209||Minor warning notices.|
|Warning||244||Problems detected when processing encrypted password data.|
|Error||300||Initialization failed. Logged if the Specops Sentinel component failed to start.|
|Error||301||An error occurred during the password change/reset process.|
|Error||302||General exception occurred in the filter or notifier.|
|Information||600||Sentinel Password Filter loaded.|
|Information||650||Periodic job will not be performed, since this DC is not the PDC emulator.|
|Information||677||User has breached password, will not be enforced to change at next logon.|
|Information||678||User has breached password, will be enforced to change at next logon.|
|Information||681||User has breached password, request to notify user enqueued to Sentinel Service.|
You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”
|Enables debug logging for the sentinel component.|
Default value = 0 (set to 1 to enable logging)
The default log path is:
|Enables debug logging for the GPMC snap-in and the|
Domain Administration tool.
Default value = 0 (set to 1 to enable logging)
The default log paths are:
|HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter\Logging||Enables debug logging for the arbiter component. Default value = 0 (set to 1 to enable logging). The default log path is: %windir%\ServiceProfiles\NetworkService\AppData\|
Note: Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.