Troubleshooting | Event logging

The Specops Password Policy components log their operations to the application log event log. Specops Breached Password Protection components log their operations to the Applications and Services Logs. 

Sentinel Service Events

Event typeIDDescription
Information100Initializing...
Logged when the Specops Sentinel is starting.
Information101Successfully initialized version X.X.X.X.
Logged when the Specops Sentinel has successfully started.
Information102Successful password change.
Information103Successful password reset.
Information104Verbose logging enabled.
Information105Verbose logging disabled.
Information108A user account was automatically unlocked.
Information109Minor information notices.
Information110User not found.
Master key not found when storing or loading encrypted passwords.
Warning202Failed password change.
Warning203Failed password reset.
Warning209Minor warning notices.
Warning244Problems detected when processing encrypted password data.
Error300Initialization failed. Logged if the Specops Sentinel component failed to start.
Error301An error occurred during the password change/reset process.
Error302General exception occurred in the filter or notifier.
Information600Sentinel Password Filter loaded.
Information1001The Sentinel service is about to start.
Information1002The Sentinel service started successfully.
Error1003Failed to start the Sentinel service.
Information1004The Sentinel service is about to stop.
Information1005The Sentinel service stopped successfully.
Information1006A valid custom service command was sent to the Sentinel service.
Information1007The Arbiter URLs were loaded successfully from the SCPs.
Warning1009The URLs for the Arbiters could not be read from the SCP in Active Directory.
Information1010The password that was set for a user was found in the breach list, but user does not need to change it according to the GPO configuration.
Information1011The password that was set for a user was found in the breach list, user will be forced to change it at next logon.
Warning1012A password for a user was found in the breach list, but the password could not be expired.
Information1013The password that was set for a user was not found in the breach list.
Warning1015Failed to check if a password is in the breach list. An error occurred on the Arbiter server.
Warning1018An unexpected error occurred in the file queue for the Sentinel service.
Warning1022Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning1023Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning1024An error occurred when communicating with the Arbiter server.
Warning1029An unexpected error occurred in the file queue for the Sentinel service.
Error1039Failed to process a message in the file queue from the Sentinel password filter.
Error1046Failed to read a file into the cache.
Warning1058An unexpected error occurred in the file queue for the Sentinel service.
Warning1062An SMTP related error occurred when attempting to send an email.
Warning1063The sender email address is invalid. Email cannot be sent.
Error1064Failed to send a Breach Password protection API email notification to a user.
Information1067The Sentinel service WebApi has started.
Information1073User counting is starting. This happens every night on the PDC emulator.
Error1074An error occurred when initiating one of the subprocesses of the user counting.
Error1078An error occurred when finalizing one of the subprocesses of the user counting.
Information1079User counting completed.
Error1081Failed to send a license information email.
Error1087Failed to send a password expiration reminder email.
Error1091Failed to update a user's subobject in Active Directory.
Error1095Failed to expire the password for a user.
Error1097Failed to send a Breach Password protection express email notification to a user.
Error1098Failed to check if a user's password is in the breach list.
Warning1102Failed to update the flags attribute on a user subobject.
Information1104A sub process of the user counting completed.
Error1106An unexpected error occurred when processing a user account during user counting.
Warning1107Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory.
Warning1108Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory. The email will be sent to the CC recipient.
Error1109Cannot send breached password notification because account has no email address.
Error1111The user counting was aborted unexpectedly.
Information1113A breached password protection against the local express list has started due to a command being sent to the Web API.
Information1114A license report email is sent to Specops.
Information1115A license information email is sent to the configured admin email address.
Warning1116A unknown custom service command was sent to the Sentinel service.
Warning1118User counting cannot be started because a previous count has not completed.
Error1119The user counting was aborted due to a license error
Information1120Sending BPP Complete Email: Breached Password Protection sent a notification.
Error1121Hash Load Error: A password hash cannot be read by Breached Password Protection Express.
Information1122The user counting will not be performed because Specops Password Policy is disabled in the domain.
Information1123Password Is Already Expired: a user’s password has already expired, and no Breached Password Protection Express breach check and notification are performed.

Specops Arbiter events

Event TypeIDDescription
Information2001Service starting.
Information2002Service started.
Error2003Service failed to start
Information2004Service stopping.
Information2005Service stopped.
Information2006Custom control message sent to service.
Warning2008An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks a subject for the email notification.
Warning2009 An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks body text for the email notification.
Warning2010A text message notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks text message notification text.
Error2022An email notification failed to send for this email address. The server returned an error code and message.
Error2014Request to the Breached Password Protection API has failed.
Error2047Failed to start WebApiHost.
Information2048WebApiHost starting.
Error2049Unhandled error in WebApiHost application.

Debug logging

You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry KeyDescription
HKLM\Software\Specopssoft\Specops
Password Policy\Filter\Debug
Enables debug logging for the sentinel component.
Default value = 0 (set to 1 to enable logging)
The default log path is:
%WINDIR%\Debug\SPP3FLT [LSASS].log
HKLM\Software\Specopssoft\Specops
Password
Policy\Administration\Debug
Enables debug logging for the GPMC snap-in and the
Domain Administration tool.
Default value = 0 (set to 1 to enable logging)
The default log paths are:
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicy2GpmcSnapIn.log
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicyDomainAdministration.log
HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter\LoggingEnables debug logging for the arbiter component. Default value = 0 (set to 1 to enable logging). The default log path is: %windir%\ServiceProfiles\NetworkService\AppData\
Local\Specopssoft\SpecopsPasswordArbiter.log

Legacy Event Codes

These event codes have been deprecated. They are still valid for Specops Password Policy version 7.5 and older.

Event typeIDDescription
Information106Started processing password expiration email notifications.
Information107Information about expiration email notifications.
Information650Periodic job will not be performed, since this DC is not the PDC emulator.
Information677User has breached password, will not be enforced to change at next logon.
Information678User has breached password, will be enforced to change at next logon.
Information681User has breached password, request to notify user enqueued to Sentinel Service.