cancel
Showing results for 
Search instead for 
Did you mean: 

I cannot reset VSA password.

Daniel_R_
Level 5
Partner Accredited
Hi,
I cannot reset VSA password. The following was checked and is ok:

DNS alias and HKLM\system\currentcontrolset\services\lanmanserver\parameters\DisableStrictNameChecking=1.

Wich other things could cause that ???

Regards,

(im working with EV6.0 SP2 with Domain 2003)

The error is:

Reconfiguration was not completed successfully. Examine the log below and make the corrective measures described.

An error occurred while trying to grant the following user rights to the account
'SEDE\vaultadmin'
on computer 'EVSERVER1.sede.company.com':

Log on as a service
Act as part of the operating system
Debug programs
Replace a process-level token

You can try again or you can add these rights yourself with the User Manager for
Domains administrative tool.

Error: Access is denied.
-----------------------------------------------------------------------------------------------------------------------------
The account 'SEDE\vaultadmin' could not be added to the local Administrators
group on 'EVSERVER1.sede.company.com'.

You can try again or use User Manager for Domains to add the account
to the group.

Error: Access is denied.
22 REPLIES 22

W_Wintermute
Level 4
I saw this problem the other day. Your issue appears similar.
If you are logged in as the Vault Admin and you try to go and manually add the VaultAdmin via Local Policy settings, does it allow you to, or is the Add button greyed out? The issue we had was that two of these Local Policy settings were controlled by a group policy at the OU level, so the Local Policy settings could not be modified.

Daniel_R_
Level 5
Partner Accredited
I can see the VSA in Local Policy Setting on

Log on as a service
Act as part of the operating system
Debug programs
Replace a process-level token

and the button isnt greyed out and i could add other user. Would I be able to do that if Local Policy Settings were controlled by a group policy at the OU level?

thanks.

Alan_M
Level 6
This should not be necessary for a reset of just the password. Assuming that you have previously been using this account for EV and all you want to do is change the password.Try this:

1. In ADUC select the VSA account and reset the password.
2. On your EV server Go to computer management-services and select properties of the EV Admin service. Click the logon tab and type in the new password.
3. Stop the EV admin service. This will also stop the other EV services
4. On the EV server open the EV console. Go to the properties of the Directory. Click the Service Account tab. Type in the password.
5. On the EV server restart all the EV services from the EV console.



> I can see the VSA in Local Policy Setting on
>
> Log on as a service
> Act as part of the operating system
> Debug programs
> Replace a process-level token
>
> and the button isnt greyed out and i could add other
> user. Would I be able to do that if Local Policy
> Settings were controlled by a group policy at the OU
> level?
>
> thanks.

Alan_M
Level 6
This should not be necessary for a reset of just the password. Assuming that you have previously been using this account for EV and all you want to do is change the password.Try this:

1. In ADUC select the VSA account and reset the password.
2. On your EV server Go to computer management-services and select properties of the EV Admin service. Click the logon tab and type in the new password.
3. Stop the EV admin service. This will also stop the other EV services
4. On the EV server open the EV console. Go to the properties of the Directory. Click the Service Account tab. Type in the password.
5. On the EV server restart all the EV services from the EV console.



> I can see the VSA in Local Policy Setting on
>
> Log on as a service
> Act as part of the operating system
> Debug programs
> Replace a process-level token
>
> and the button isnt greyed out and i could add other
> user. Would I be able to do that if Local Policy
> Settings were controlled by a group policy at the OU
> level?
>
> thanks.

Alan_M
Level 6
This should not be necessary for a reset of just the password. Assuming that you have previously been using this account for EV and all you want to do is change the password.Try this:

1. In ADUC select the VSA account and reset the password.
2. On your EV server Go to computer management-services and select properties of the EV Admin service. Click the logon tab and type in the new password.
3. Stop the EV admin service. This will also stop the other EV services
4. On the EV server open the EV console. Go to the properties of the Directory. Click the Service Account tab. Type in the password.
5. On the EV server restart all the EV services from the EV console.

Alan_M
Level 6
This should not be necessary for a reset of just the password. Assuming that you have previously been using this account for EV and all you want to do is change the password.Try this:

1. In ADUC select the VSA account and reset the password.
2. On your EV server Go to computer management-services and select properties of the EV Admin service. Click the logon tab and type in the new password.
3. Stop the EV admin service. This will also stop the other EV services
4. On the EV server open the EV console. Go to the properties of the Directory. Click the Service Account tab. Type in the password.
5. On the EV server restart all the EV services from the EV console.

Daniel_R_
Level 5
Partner Accredited
When EV finished to reconfigure the services show the same error, the password has been changed and services and tasks are running ok. But that not would have to happend.

another idea about it?

thanks

TonySterling
Moderator
Moderator
Partner    VIP    Accredited Certified
In the Vault Admin console does it say Directory on 'EVSERVER1.sede.company.com'? If you change that to the actual computer name and try does it work?

Karo_Kalyptus
Level 2
Are you using Windows 2003 Sp1?

Are you able to access your alias from the run cmd i.e start - run - \\EV Server Alias?

Are you prompted for a password? if yes try the disableloopbackcheck = 1

http://support.microsoft.com/default.aspx?scid=kb;en-us;887993

Karo_Kalyptus
Level 2
Are you using windows 2003 Sp1?
If yes, are you able to access the alias name via a unc path - start - run - \\evserver alias?

If you are prompted for authentication, whatever you type in I suppose it won't go through.

Try the disableloopbackcheck reg key:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887993

Daniel_R_
Level 5
Partner Accredited
Im using EVSERVER1 name because the DNS Alias complete exceed 32 characteres and i cannot put in Directory Service Computer.

Phil_McDougal
Level 5
Hey all,

I'm having this exact issue.  When resetting the vault service account in the site  (only 1 site) Directory, it fails and says I need to add it to the local administrators group.  Well it's there.  I did notice that if I go to the UNC path of the vault server alias (from the vault server), it prompts me for the password but does not take it.  If I try to go to the UNC path of the alias compliance accelerator system from the vault server, it says a duplicate name is on the network.

I've reset the vault service account password in the domain and re-entered it in the EV services as well to no avail.

Any other ideas on how to get the vault service account to resync?

Thank you!
PM.

MichelZ
Level 6
Partner Accredited Certified
Phil

Have you tried:
HKLM\system\currentcontrolset\services\lanmanserver\parameters\DisableStrictNameChecking=1.

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

Phil_McDougal
Level 5
Thanks Michel.

This key is already set to 1 on my vault server.  I'm stumped...

MichelZ
Level 6
Partner Accredited Certified
Phil

Could you post the exact error messages you get?
Have you tried setting the account manually in services.msc?
Have you tried removing the Account from local Admin and adding it again?

Cheers
Michel

cloudficient - EV Migration, creators of EVComplete.

jimbo2
Level 6
Partner
Listen to Karo.
 
You have to implement DisableLoopBackCheck with DisableStrictNameChecking.
 
Here is why
 
The DisableLoopBackCheck is first in the IP stack so if you only apply DisableStrictNameChecking then the system never gets past the DisableLoopBackCheck issue.
 
Implement both keys and your problem will be solved.

jimbo2
Level 6
Partner
Daniel,
 
Did adding both keys and rebooting work?
 
Jim S.

Daniel_R_
Level 5
Partner Accredited
Hi guys,
 
You are rigth Jimbo!, my issue was resolved adding DisableLoopBackCheck because I only had "DisableStrictNameChecking =1".   Well, I that time not exist Deployment Scanner..... :\
 
Thanks for all

jimbo2
Level 6
Partner
Smiley Happy