Logging
Management runtime logs all events in Application Event Log of local computer. Log messages are English only, but can be localized or additional language can be added, if necessary, in the future.
Type of events that are logged is configurable either via GPO or via the following registry REG_DWORD value:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ExtensionDebugLevel
Note: This registry value takes precedence over Logging level registry policy - see Configuration section for details
Semantic of possible values is as follows:
| Value | Meaning |
|---|---|
| 0 | Silent mode; log errors only.
When no error occurs, no information is logged about management runtime activity This is a default value |
| 1 | Log Errors and warnings |
| 2 | Verbose mode, log everything |
Event source for all events reported by management runtime is always AdmPwd.
The following table summarizes the events that can occur in the Event Log:
| ID | Severity | Description | Comment |
|---|---|---|---|
| 2 | Error | Could not get computer object from AD. Error %1 | This event is logged in case that management runtime is not able to connect to computer account for local computer in AD.
%1 is a placeholder for error code returned by function that retrieves local computer name, converts it to DN and connects to AD object specified by the DN |
| 3 | Error | Could not get local Administrator account. Error %1 | This event is logged in case that management runtime is not able to connect to built-in Administrator account.
%1 is a placeholder to error code returned by function that detects the name of local administrator’s account and connects to the account |
| 4 | Error | Could not get password expiration timestamp from computer account in AD. Error %1. | This event is logged in case that management runtime is not able to read the value of `ms-MCS-AdmPwdExpirationTime` of computer account in AD.
%1 is a placeholder for error code returned by function that reads the value of the attribute and converts the value to |
| 6 | Error | Could not create new password. Error %1. | This event is logged when management runtime for any reason (typically because of failure to initialize/use random number generator) cannot create new password for local admin account |
| 7 | Error | Could not encrypt password. Error %1. | This event is logged in any of the following situations:
%1 is a placeholder for error returned by CryptoAPI or CNG |
| 8 | Error | Could not write changed password to AD. Error %1. | This event is logged in case that management runtime is not able to report new password and timestamp to AD.
%1 is a placeholder for error code returned by LDAP modify request |
| 9 | Error | Could not reset local Administrator's password. Error %1 | This event is logged in case that management runtime is not able to reset the password of built-in Administrator account.
%1 is a placeholder for error returned by |
| 12 | Error | Could not check if password is in sync with AD. Error %1. | This error is logged when management runtime is not able to detect password age of managed local administrator account.
%1 is placeholder for error returned by |
| 13 | Error | Could not check or set state of built-in admin account. Error %1. | This error is logged when management runtime is not able to detect state of built-in local administrator account.
%1 is placeholder for error returned by |
| 100 | Information | Beginning processing with flags %1. |
This event is logged when management runtime starts management cycle.
%1 is placeholder for value of flag passed to |
| 101 | Information | It is not necessary to change password yet. Will be changed in %1 days, %2 hours. | This event is logged in case that management runtime detects that it is not yet the time to reset the password of managed admin account |
| 103 | Information | Local Administrator's password has been successfully encrypted | This event is logged when password is successfully encrypted |
| 104 | Information | Local Administrator's password has been reported to AD. | This event is logged when password is successfully reported to AD |
| 105 | Information | Local Administrator's password has been changed | This event is logged after management runtime resets the password of managed admin account |
| 106 | Information | Admin password was not manipulated with (%1) | This event is logged when management runtime detects that password of managed local administrator account was not manipulated with. %1 is placeholder for difference between expected and real password age, in seconds. Accepted difference is up to 3 seconds |
| 107 | Information | Admin password was never managed on this machine. Resetting password now. | This event is logged when management runtime detects that password of managed local administrator account was never managed. |
| 110 | Information | Finished successfully | This event is logged after management runtime performed all required tasks and is about to finish. |
| 200 | Warning | Password expiration too long for computer (%1 days, %2 hours). Resetting password now. | This event is logged in case that management runtime detects that password expiration for computer is longer than allowed by policy in place while protection against excessive password age is turned on |
| 201 | Warning | Password was manipulated with since last check (%1 seconds after regular password change). Resetting password now. | This event is logged when management runtime detect that password of managed local administrator account was changed outside of solution (such as manually by user with administrative permission). |
| 202 | Warning | Admin account management not enabled, exiting | This event is logged when admin account management is not enabled and management runtime is not allowed to work. |
| 203 | Warning | State of built-in admin account differs from policy and was fixed | This event is logged after management runtime detects that state of built-in admin account on managed machine is different than required by the policy and management runtime changed it to be the same as required. |
Notes:
- Generally, all events with severity “Error” are blocking, so in case that any error occurs, no other tasks are performed and management runtime terminates its processing
- Event source for the Event Log is embedded in the same executable as main GPO executive. Reason for this decision was to make the deployment simple