Event Logging

The Specops Password Policy components log their operations to the application log. Specops Breached Password Protection components log their operations to the Applications and Services Logs.

Use the search widget below, or find event IDs in the table.

Search Event ID
ID:
Type:
Description

Sentinel Service Events

Sentinel Service Events
Event type ID Description
Information 100 Initializing...
Logged when the Specops Sentinel is starting.
Information 101 Successfully initialized version X.X.X.X.
Logged when the Specops Sentinel has successfully started.
Information 102 Successful password change.
Information 103 Successful password reset.
Information 104 Verbose logging enabled.
Information 105 Verbose logging disabled.
Information 108 A user account was automatically unlocked.
Information 109 Minor information notices.
Information 110 User not found.
Master key not found when storing or loading encrypted passwords.
Warning 202 Failed password change.
Warning 203 Failed password reset.
Warning 209 Minor warning notices.
Warning 244 Problems detected when processing encrypted password data.
Error 300 Initialization failed. Logged if the Specops Sentinel component failed to start.
Error 301 An error occurred during the password change/reset process.
Error 302 General exception occurred in the filter or notifier.
Information 600 Sentinel Password Filter loaded.
Information 1001 The Sentinel service is about to start.
Information 1002 The Sentinel service started successfully.
Error 1003 Failed to start the Sentinel service.
Information 1004 The Sentinel service is about to stop.
Information 1005 The Sentinel service stopped successfully.
Information 1006 A valid custom service command was sent to the Sentinel service.
Information 1007 The Arbiter URLs were loaded successfully from the SCPs.
Warning 1009 The URLs for the Arbiters could not be read from the SCP in Active Directory.
Information 1010 The password that was set for a user was found in the breach list, but user does not need to change it according to the GPO configuration.
Information 1011 The password that was set for a user was found in the breach list, user will be forced to change it at next logon.
Warning 1012 A password for a user was found in the breach list, but the password could not be expired.
Information 1013 The password that was set for a user was not found in the breach list.
Warning 1015 Failed to check if a password is in the breach list. An error occurred on the Arbiter server.
Warning 1018 An unexpected error occurred in the file queue for the Sentinel service.
Warning 1022 Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning 1023 Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning 1024 An error occurred when communicating with the Arbiter server.
Warning 1029 An unexpected error occurred in the file queue for the Sentinel service.
Error 1039 Failed to process a message in the file queue from the Sentinel password filter.
Error 1046 Failed to read a file into the cache.
Warning 1058 An unexpected error occurred in the file queue for the Sentinel service.
Warning 1062 An SMTP related error occurred when attempting to send an email.
Warning 1063 The sender email address is invalid. Email cannot be sent.
Error 1064 Failed to send a Breach Password protection API email notification to a user.
Information 1067 The Sentinel service WebApi has started.
Information 1073 User counting is starting. This happens every night on the PDC emulator.
Error 1074 An error occurred when initiating one of the subprocesses of the user counting.
Error 1078 An error occurred when finalizing one of the subprocesses of the user counting.
Information 1079 User counting completed.
Error 1081 Failed to send a license information email.
Error 1087 Failed to send a password expiration reminder email.
Error 1091 Failed to update a user's subobject in Active Directory.
Error 1095 Failed to expire the password for a user.
Error 1097 Failed to send a Breach Password protection express email notification to a user.
Error 1098 Failed to check if a user's password is in the breach list.
Warning 1102 Failed to update the flags attribute on a user subobject.
Information 1104 A sub process of the user counting completed.
Error 1106 An unexpected error occurred when processing a user account during user counting.
Warning 1107 Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory.
Warning 1108 Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory. The email will be sent to the CC recipient.
Error 1109 Cannot send breached password notification because account has no email address.
Error 1111 The user counting was aborted unexpectedly.
Information 1113 A breached password protection against the local express list has started due to a command being sent to the Web API.
Information 1114 A license report email is sent to Specops.
Information 1115 A license information email is sent to the configured admin email address.
Warning 1116 A unknown custom service command was sent to the Sentinel service.
Warning 1118 User counting cannot be started because a previous count has not completed.
Error 1119 The user counting was aborted due to a license error
Information 1120 Sending BPP Complete Email: Breached Password Protection sent a notification.
Error 1121 Hash Load Error: A password hash cannot be read by Breached Password Protection Express.
Information 1122 The user counting will not be performed because Specops Password Policy is disabled in the domain.
Information 1123 Password Is Already Expired: a user’s password has already expired, and no Breached Password Protection Express breach check and notification are performed.
Information 1166 Password never expires flag was removed due to breached password.

Specops Arbiter events

Specops Arbiter events
Event type ID Description
Information 2001 Service starting.
Information 2002 Service started.
Error 2003 Service failed to start
Information 2004 Service stopping.
Information 2005 Service stopped.
Information 2006 Custom control message sent to service.
Warning 2008 An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks a subject for the email notification.
Warning 2009 An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks body text for the email notification.
Warning 2010 A text message notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks text message notification text.
Error 2022 An email notification failed to send for this email address. The server returned an error code and message.
Error 2014 Request to the Breached Password Protection API has failed.
Error 2047 Failed to start WebApiHost.
Information 2048 WebApiHost starting.
Error 2049 Unhandled error in WebApiHost application.

Debug logging

You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Debug logging
Registry Key Description
HKLM\Software\Specopssoft\Specops
Password Policy\Filter\Debug
Enables debug logging for the sentinel component.
Default value = 0 (set to 1 to enable logging)
The default log path is:
%WINDIR%\Debug\SPP3FLT [LSASS].log
HKLM\Software\Specopssoft\Specops
Password
Policy\Administration\Debug
Enables debug logging for the GPMC snap-in and the
Domain Administration tool.
Default value = 0 (set to 1 to enable logging)
The default log paths are:
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicy2GpmcSnapIn.log
%USERPROFILE%\AppData\Local\SpecopsSoft\
SpecopsPasswordPolicyDomainAdministration.log
HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter\Logging Enables debug logging for the arbiter component. Default value = 0 (set to 1 to enable logging). The default log path is: %windir%\ServiceProfiles\NetworkService\AppData\
Local\Specopssoft\SpecopsPasswordArbiter.log

Legacy event codes


These event codes have been deprecated. They are still valid for Specops Password Policy version 7.5 and older.

Legacy event codes
Event type ID Description
Information 106 Started processing password expiration email notifications.
Information 107 Information about expiration email notifications.
Information 650 Periodic job will not be performed, since this DC is not the PDC emulator.
Information 677 User has breached password, will not be enforced to change at next logon.
Information 678 User has breached password, will be enforced to change at next logon.
Information 681 User has breached password, request to notify user enqueued to Sentinel Service.