Troubleshooting
The information below is intended for administrators who are responsible for troubleshooting Specops Password Policy. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Policy.
Common Issues
The custom message is not displayed when failing to meet the password rules
Possible cause
The MS filter is blocking the password
Possible solution
After you’ve ensured that the new password meets at least the default domain policy, confirm whether a fine-grained password policy (FGPP) is in place. FGPPs can be found in the Password Settings Container. Delete any FGPP to ensure that the domain policy is applied, and verify that the custom message appears as expected.
The Sentinel appears as “not installed” on the DC even though it has been installed.
Possible cause
If the account you are logged in with doesn’t have access to the admin$ share on the DC then you will get the “not Installed” message.
Possible solution
You need to be logged in with a Domain Admin level account to connect to this share. The Admin Tool checks for the existence of the file.
To ensure that the file is running, use Process Explorer (SysInternals/Microsoft tool https://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx). The file will appear under LSASS.EXE in one of the threads.
“The system cannot find the path specified” error in the eventlog
Possible cause
Specops Password Policy and Specops Password Reset leverage the same Client. In this case, the Client is looking for SPR.ini in the Specops Password Reset product.
Possible solution
If you are not using Specops Password Reset, this message can be safely ignored.
User does not receive the Specops message when they enter a password that does not meet complexity requirement
Possible cause
- The password does not meet Microsoft’s default password complexity requirements.
- The Specops Client is not installed.
Possible solution
- Ensure that the password has met Microsoft’s password complexity requirements.
- Ensure that the Specops Client is installed.
“Invalid License File” error in the Domain Administration Tool
Possible cause
- Version mismatch between Administration Tool and license key.
Possible solution
- Contact Specops Support for correct license file version.
User is unable to meet the policy requirements and cannot change password
Possible cause
There may a problem with the dictionary file.
Possible solution
- In the Group Policy Editor, expand User Configuration, Windows Settings, and select Specops Password policy.
- Click Configure Password Policy.
- Select the Password Rules tab.
- Disable the Disallow words from dictionary checkbox.
Cannot view the sentinel state in the domain administration tool
Possible cause
The person running the tool is unable to connect to the admin share on the DC’s.
Possible solution
Ensure that the user running the Domain Administration Tool has the appropriate rights to monitor the status.
Event Logging
The Specops Password Policy components log their operations to the application log event log.
Sentinel events
Event type | ID | Description |
---|---|---|
Information | 100 | Initializing... Logged when the Specops Sentinel is starting. |
Information | 101 | Successfully initialized version X.X.X.X. Logged when the Specops Sentinel has successfully started. |
Information | 102 | Successful password change. |
Information | 103 | Successful password reset. |
Information | 104 | Verbose logging enabled. |
Information | 105 | Verbose logging disabled. |
Information | 106 | Started processing password expiration email notifications. |
Information | 107 | Information about expiration email notifications. |
Information | 108 | A user account was automatically unlocked. |
Information | 109 | Minor information notices. |
Information | 110 | User not found. Master key not found when storing or loading encrypted passwords. |
Warning | 202 | Failed password change. |
Warning | 203 | Failed password reset. |
Warning | 209 | Minor warning notices. |
Warning | 244 | Problems detected when processing encrypted password data. |
Error | 300 | Initialization failed. Logged if the Specops Sentinel component failed to start. |
Error | 301 | An error occurred during the password change/reset process. |
Error | 302 | General exception occurred in the filter or notifier. |
Information | 600 | Sentinel Password Filter loaded. |
Information | 650 | Periodic job will not be performed, since this DC is not the PDC emulator. |
Information | 677 | User has breached password, will not be enforced to change at next logon. |
Information | 678 | User has breached password, will be enforced to change at next logon. |
Information | 681 | User has breached password, request to notify user enqueued to Sentinel Service. |
Debug logging
You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”
Registry Key | Description |
---|---|
HKLM\Software\Specopssoft\Specops Password Policy\Filter\Debug | Enables debug logging for the sentinel component. Default value = 0 (set to 1 to enable logging) The default log path is: %WINDIR%\Debug\SPP3FLT [LSASS].log |
HKLM\Software\Specopssoft\Specops Password Policy\Administration\Debug | Enables debug logging for the GPMC snap-in and the Domain Administration tool. Default value = 0 (set to 1 to enable logging) The default log paths are: %USERPROFILE%\AppData\Local\SpecopsSoft\ SpecopsPasswordPolicy2GpmcSnapIn.log %USERPROFILE%\AppData\Local\SpecopsSoft\ SpecopsPasswordPolicyDomainAdministration.log |
HKLM\Software\Specopssoft\uReset\Client\Debug | Enables and disables debug logging for the Specops uReset Client components. Default value = 0 (set to 1 to enable logging) The default log paths are: SecuredBrowser: c:\windows\debug (if running as a logged on user, make sure user has write permissions in there) Credential provider: c:\windows\debug Tiled Credential provider: c:\windows\debug uReset client: %LocalAppData%\Specopssoft Paths cannot be changed. |
Note: Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.