Search Results for

    Show / Hide Table of Contents

    Logging

    Management runtime logs all events in Application Event Log of local computer. Log messages are English only, but can be localized or additional language can be added, if necessary, in the future.

    Type of events that are logged is configurable either via GPO or via the following registry REG_DWORD value:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ExtensionDebugLevel

    Note: This registry value takes precedence over Logging level registry policy - see Configuration section for details

    Semantic of possible values is as follows:

    Value Meaning
    0 Silent mode; log errors only.

    When no error occurs, no information is logged about management runtime activity

    This is a default value

    1 Log Errors and warnings
    2 Verbose mode, log everything

    Event source for all events reported by management runtime is always AdmPwd.
    The following table summarizes the events that can occur in the Event Log:

    ID Severity Description Comment
    2 Error Could not get computer object from AD. Error %1 This event is logged in case that management runtime is not able to connect to computer account for local computer in AD.

    %1 is a placeholder for error code returned by function that retrieves local computer name, converts it to DN and connects to AD object specified by the DN

    3 Error Could not get local Administrator account. Error %1 This event is logged in case that management runtime is not able to connect to built-in Administrator account.

    %1 is a placeholder to error code returned by function that detects the name of local administrator’s account and connects to the account

    4 Error Could not get password expiration timestamp from computer account in AD. Error %1. This event is logged in case that management runtime is not able to read the value of `ms-MCS-AdmPwdExpirationTime` of computer account in AD.

    %1 is a placeholder for error code returned by function that reads the value of the attribute and converts the value to unsigned __int64 type

    6 Error Could not create new password. Error %1. This event is logged when management runtime for any reason (typically because of failure to initialize/use random number generator) cannot create new password for local admin account
    7 Error Could not encrypt password. Error %1. This event is logged in any of the following situations:
    • Management runtime cannot locate public key in registry
    • Public key blob stored in GPO is invalid
    • RSA CSP is not able to encrypt the password

    %1 is a placeholder for error returned by CryptoAPI or CNG

    8 Error Could not write changed password to AD. Error %1. This event is logged in case that management runtime is not able to report new password and timestamp to AD.

    %1 is a placeholder for error code returned by LDAP modify request

    9 Error Could not reset local Administrator's password. Error %1 This event is logged in case that management runtime is not able to reset the password of built-in Administrator account.

    %1 is a placeholder for error returned by NetUserSetInfo() API call

    12 Error Could not check if password is in sync with AD. Error %1. This error is logged when management runtime is not able to detect password age of managed local administrator account.

    %1 is placeholder for error returned by NetUserGetInfo() API call

    13 Error Could not check or set state of built-in admin account. Error %1. This error is logged when management runtime is not able to detect state of built-in local administrator account.

    %1 is placeholder for error returned by NetUserGetInfo() API call

    100 Information Beginning processing with flags %1. This event is logged when management runtime starts management cycle.

    %1 is placeholder for value of flag passed to ProcessGroupPolicy() entry point by GPO framework
    Note: On Nano server, this event does not contain information about GPO flag value as there is not GPO.

    101 Information It is not necessary to change password yet. Will be changed in %1 days, %2 hours. This event is logged in case that management runtime detects that it is not yet the time to reset the password of managed admin account
    103 Information Local Administrator's password has been successfully encrypted This event is logged when password is successfully encrypted
    104 Information Local Administrator's password has been reported to AD. This event is logged when password is successfully reported to AD
    105 Information Local Administrator's password has been changed This event is logged after management runtime resets the password of managed admin account
    106 Information Admin password was not manipulated with (%1) This event is logged when management runtime detects that password of managed local administrator account was not manipulated with. %1 is placeholder for difference between expected and real password age, in seconds. Accepted difference is up to 3 seconds
    107 Information Admin password was never managed on this machine. Resetting password now. This event is logged when management runtime detects that password of managed local administrator account was never managed.
    110 Information Finished successfully This event is logged after management runtime performed all required tasks and is about to finish.
    200 Warning Password expiration too long for computer (%1 days, %2 hours). Resetting password now. This event is logged in case that management runtime detects that password expiration for computer is longer than allowed by policy in place while protection against excessive password age is turned on
    201 Warning Password was manipulated with since last check (%1 seconds after regular password change). Resetting password now. This event is logged when management runtime detect that password of managed local administrator account was changed outside of solution (such as manually by user with administrative permission).
    202 Warning Admin account management not enabled, exiting This event is logged when admin account management is not enabled and management runtime is not allowed to work.
    203 Warning State of built-in admin account differs from policy and was fixed This event is logged after management runtime detects that state of built-in admin account on managed machine is different than required by the policy and management runtime changed it to be the same as required.

    Notes:

    • Generally, all events with severity “Error” are blocking, so in case that any error occurs, no other tasks are performed and management runtime terminates its processing
    • Event source for the Event Log is embedded in the same executable as main GPO executive. Reason for this decision was to make the deployment simple
    • Improve this Doc
    ☀
    ☾
    Back to top Generated by DocFX