I am having an issue with an active directory account not running login scripts. The scripts run fine in one location and not in the other.
Getting the following errors in the event logs:
GroupPolicy-Operational event ID 7007
Periodic policy processing failed for user domain\username in 1 seconds.
EventData
PolicyElaspedTimeInSeconds 1
ErrorCode 1265
PrincipalSamName domain\username
IsMachine 0
IsConnectivityFailure false
nt ID 40960 LSA (LsaSrv)
- System
- Provider
[ Name] LsaSrv
[ Guid] {199FE037-2B82-40A9-82AC-E1D46C792B99}
EventID 40960
Version 0
Level 3
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2015-01-13T15:03:17.679126200Z
EventRecordID 26015
Correlation
- Execution
[ ProcessID] 896
[ ThreadID] 4656
Channel System
Computer computer.domain.com
- Security
[ UserID] S-1-5-18
- EventData
Target cifs/domain
Protocol Kerberos
Error "{Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer. (0xc0000023)"
# for hex 0xc0000023 / decimal -1073741789 :
STATUS_BUFFER_TOO_SMALL ntstatus.h
# {Buffer Too Small}
# The buffer is too small to contain the entry. No
# information has been written to the buffer.
# 1 matches found for "0xc0000023"
The Security System detected an authentication error for the server cifs/domain.com The failure code from authentication protocol Kerberos was "{Buffer Too Small}
The buffer is too small to contain the entry. No information has been written to the buffer.
(0xc0000023)".
Solution http://technet.microsoft.com/en-us/library/cc733950(v=ws.10).aspx
Running a windows 2003 domain, desktop is Windows 7, domain controllers are a mix of 2008 and 2003 servers.
We haven't rebooted some of the 2003 DC's for over 3 years (different story) and these are scheduled to be decommissioned.
Is it possible to authenticate a windows AD account to a specific DC rather than the default DC, for the purposes of troubleshooting a login problem?
This is actually surprisingly difficult to do.
There are a couple workarounds, namely that you can create a new site for your client(s) and the Domain Controller you want them to use as a logon server, or that you can set the
LdapSrvPriorityregistry setting on your domain controllers to give the highest priority to the DC you want used as the logon server. You can also configure theLdapSrvWeightregistry setting on your domain controllers to assign a weighted priority for each one.Note that editing the registry settings on the domain controllers is a global change that will apply to all clients, not just the one you're testing, just as putting a domain controller in a new site will impact all client authentications as well.
As noted in the linked article, though, these settings will only make your client(s) prefer a given logon server, not force them to use a given logon server, and the complexities of authenticating against a Windows domain mean that your client may switch logon servers partway through the process anyway, so you may be just plain out of luck.
It may be useful to see if detailed GPO logging reveals anything about the issue. It can be enabled with the following reg key. The resulting log file "gpsvc.log" can be found %WINDIR%\debug\usermode.
Also, there is a history of articles regarding "Buffer too small" but typically this is logged under event System/LsaSrv/40960. Those problems are usually caused by a user/computer account that belongs to an excessive number of groups, which creates a Kerberos token size problem.