7020983: IDM Passsync Troubleshooting Tool is denied access to registry key.

This document (7020983) is provided subject to the disclaimer at the end of this document.

Environment

Identity Manager 4.6
Active Directory Password Synchronization

Situation

Using the Passsync Troubleshooting Tool to check Active Directory Password Synchronization.
This tool is a windows executable and can be found on the install media in the setuputilitiesPassSyncTroubleshootingTool folder.

When running the Domain Controller Check, the following error is generated

Error occurred while opening the registry key[SOFTWARENOVELLPWFILTERDATA]. Access is denied.

This happens even when using the Domain Administrator account

Resolution

Run regedit and right click on the key
HKLMSoftwareNovellPwFilterData
and select Permissions.
Select the Advanced option and add the Administrators Group.
Set the Read permission.
Make sure the box labeled “Replace all child object permission entries with inheritable permission entries from this object”
is checked.

Cause

This registry key is protected by a trusted installer. By default, Administrator does not have the read permission.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Event ID 8256 — Windows to UNIX Password Synchronization Service Availability

Event ID 8256 — Windows to UNIX Password Synchronization Service Availability

Updated: November 14, 2007

Applies To: Windows Server 2008

Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

Event Details

Product: Windows Identity Management for UNIX
ID: 8256
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_ERROR_REG_NOTIFY_KEY_CHANGE
Message: Error completing registry key change notification. Error=%1.

Resolve
Restart the Windows-based computer

Very rarely, Password Synchronization reports that an internal application error occurred with the SetNotify function call, and that the Windows to UNIX Password Synchronization Service cannot operate normally. Restarting the Windows-based computer on which Password Synchronization is installed typically clears the error.

To restart the computer:

  • Click Start, click the arrow next to the Lock button, and then click Restart.

Verify

The Windows to UNIX password synchronization service is functioning normally in the absence of any of the following messages in Event Viewer. If any of the following messages are logged in Event Viewer, the service cannot function normally.

  • IDMU Password Synchronization event 16388
  • IDMU Password Synchronization event 8194
  • IDMU Password Synchronization event 8193

Related Management Information

Windows to UNIX Password Synchronization Service Availability

Identity Management for UNIX

Related:

Event ID 8193 — Windows to UNIX Password Synchronization Service Availability

Event ID 8193 — Windows to UNIX Password Synchronization Service Availability

Updated: November 14, 2007

Applies To: Windows Server 2008

Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

Event Details

Product: Windows Identity Management for UNIX
ID: 8193
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_ERROR_READING_CONFIG
Message: Failure reading Password Synchronization configuration. %rApply configuration changes again and if the problem persists, verify that Password Synchronization has been configured in accordance with guidance in the Password Synchronization Help.

Resolve
Fix registry error

Password Synchronization encountered an error reading or writing to a specific Windows registry key. Open Event Viewer and read the associated error message, which describes the root cause of this error.

Confirm that the computer running Password Synchronization has access permissions to the Windows registry by doing the following:

  1. Open the Registry Editor.
    • Click Start, click Run, type regedit in the Open text box, and then click OK.
  2. In the hierarchy pane, navigate to the registry key identified by the error message.
  3. If the error message does not show the path to the registry key on which the problem occurred, navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Identity Management.
  4. With the key highlighted, click Permissions on the Edit menu to open the Permissions for Registry Key dialog box.
  5. Verify that the user SYSTEM has Full Control permissions.
  6. Click Add to add the SYSTEM user if it is not already listed in the Group or user names list on the Security tab. If needed, assign Full Control permissions to SYSTEM in the Permissions for User list.
  7. Click OK. Close the Registry Editor.

Verify

The Windows to UNIX password synchronization service is functioning normally in the absence of any of the following messages in Event Viewer. If any of the following messages are logged in Event Viewer, the service cannot function normally.

  • IDMU Password Synchronization event 16388
  • IDMU Password Synchronization event 8194
  • IDMU Password Synchronization event 8193

Related Management Information

Windows to UNIX Password Synchronization Service Availability

Identity Management for UNIX

Related:

Event ID 4096 — Windows to UNIX Password Synchronization Service Availability

Event ID 4096 — Windows to UNIX Password Synchronization Service Availability

Updated: November 14, 2007

Applies To: Windows Server 2008

Windows to UNIX Password Synchronization Service Availability indicates the operational state of the Windows to UNIX password synchronization service and its availability to synchronize user account passwords to the UNIX environment that are changed in the Windows environment.

When Password Synchronization is configured for Windows-to-UNIX synchronization, and a password is changed on a Windows-based computer running Password Synchronization, the Password Synchronization service determines whether the user’s password is to be synchronized on UNIX computers. When the Password Synchronization service is operating normally, it encrypts the password and sends it to the Password Synchronization daemon on each computer with which the Windows-based computer is configured to be synchronized. The daemon then decrypts the password and changes the password on the UNIX host.

Generally, the service is available if it has read and modify permissions in the Windows Registry, and if the computer on which Password Synchronization is installed remains an Active Directory® Domain Services domain controller.

Event Details

Product: Windows Identity Management for UNIX
ID: 4096
Source: Microsoft-Windows-IDMU-PSync
Version: 6.0
Symbolic Name: MSG_STARTUP_INFO
Message: Password Synchronization service between Windows and UNIX was started.

Resolve

This is a normal condition. No further action is required.

Related Management Information

Windows to UNIX Password Synchronization Service Availability

Identity Management for UNIX

Related:

The name %1 cannot be used for registration on Active Directory and DNS. It should fit Windows requirements and cannoy be equal to the computer name.

Details
Product: BizTalk Server
Event ID: 7460
Source: BizTalk Server 3.0
Version: 3.0.4604.0
Message: The name %1 cannot be used for registration on Active Directory and DNS. It should fit Windows requirements and cannoy be equal to the computer name.
   
Explanation
The computer name used for the Active Directory and/or the DNS registration does not fit the computer name requirements.
   
User Action
Refer to the documentation for the maximum length and legal characters for computer names.

Related:

BizTalk HTTP receive adapter failed to initialize itself. Possible reasons:1) Receive location URL is not created/configured correctly2) Receive location is not enabled3) HTTP receive adapter is not running under a user that has access to management and message databases4) Isolated host instance is not created for HTTP Receive adapter.

Details
Product: BizTalk Server
Event ID: 5888
Source: BizTalk Server 3.0
Version: 3.0.4604.0
Message: BizTalk HTTP receive adapter failed to initialize itself. Possible reasons:1) Receive location URL is not created/configured correctly2) Receive location is not enabled3) HTTP receive adapter is not running under a user that has access to management and message databases4) Isolated host instance is not created for HTTP Receive adapter.
   
Explanation

BizTalk Server 2004 HTTP listener failed to initialize.

Possible reasons: Receive location URL is not created or configured correctly. Receive location is not enabled. HTTP listener is not running under a user that has access to the management an

Related:

Failed while connecting to the BizTalk management database. Please verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.

Details
Product: BizTalk Server
Event ID: 5458
Source: BizTalk Server 3.0
Version: 3.0.4604.0
Message: Failed while connecting to the BizTalk management database. Please verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.
   
Explanation
This event occurs when the NT service fails to connect to the BizTalk Server Management database.
   
User Action
Verify that the Windows account used by the BizTalk Windows service has sufficient permissions to access the management database.

Related:

Failed while registering the BizTalk Server NT service control handler with the Windows service control manager.

Details
Product: BizTalk Server
Event ID: 5425
Source: BizTalk Server 3.0
Version: 3.0.4604.0
Message: Failed while registering the BizTalk Server NT service control handler with the Windows service control manager.
   
Explanation
The service was launched as a regular application.
   
User Action
Start the service from the MMC window.

Related: