user account problems in windows server 2003

[abishek 001]

Hi all!
I have a huge problem! I can not create a user account with windows 2003 server because when creating the password, I am told that the account can not be created because the strategy of password is not good. I try to create complicated password, but I always have the same problem! It would be very kind of you if you help me a little! Thank you

[Expertz]

Even if you will not be using Terminal Services or have any other users using your server it is ALWAYS recommended to create an additional two (2) users, apart from Administrator. These two users are - another member of the "Administrators" group (to avoid actually logging on with the Administrator account, but you have the same privileges) AND a regular user, who is part of the "Users" group. It is recommended to only log on with the regular user, and use the "runas" command when you need to run a program as an Administrator, and to only log on with the secondary Administrator user when it is absolutely needed. This will show you how to create a secondary Administrator.

Method:

1. Click the Start button, then Run...
2. Then type "lusrmgr.msc" without the quotes
3. In the window that opens, right click in the right panel and click "New User"
4. In the New User dialog, type in your preferences for a new user name and password (this will be our secondary Administrator account). Uncheck User must change password, and check Password never expires
5. Now, right click the new user and click Properties in the pop up menu
6. Go to the "Member of" tab and press the Add button
7. Type "Administrators" without the quotes, then press the Check Names button (to complete the name, it will add the name of your computer) and press OK when it is done, then press OK on the Local Users and Groups dialog
8. We now have a secondary Administrator account! To have a regular user (highly recommended) do the same as above, until the User properties.

Source: visualwin.com

[newtech]

Windows 2003 domain controllers may not be able to create user accounts, computer accounts or security groups if the local RID pool is used up and cannot obtain a new RID pool from the RID operations master. The domain controller cannot be discovered by network clients that are trying to perform LDAP queries or authentication requests.

Provided enough network connectivity to the RID operations master, a domain controller does not experience this condition unless the rate of RID consumption is quite high. For example, if the rate of security principal creation exceeds the domain controller's ability to acquire a new RID pool from the RID operations master, the domain controller temporarily cannot service security principal creations. Upon successful RID pool acquisition, this condition stops, and security principal creation can resume.

Events 16645 and optionally event 16651 are logged in the Directory services event log for domain controllers that cannot acquire new rid pools. The message text for each event is " The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller. Account creation on this controller will fail until a new pool has been allocated. There may be network or connectivity problems in the domain, or the master domain controller may be offline or missing from the domain. Verify that the master domain controller is running and connected to the domai"
Event 16651
"The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is %n " %1 " "
(((((((((((((((CAUSE)))):
Users, computers and groups in Active Directory are collectively known as "security principals". Security principals are assigned unique alpha-numeric numeric strings that are called security identifiers, or SIDs. The SID for a security principal is made up of a domain-wide SID concatenated with a unique, relative identifier (RID). The RID is allocated by a Windows 2000 domain controller in the domain at the time the security principal is created.

Individual domain controllers maintain local RID pools that are obtained from a global pool on the RID operations master. By default, RID pools are obtained in increments of 500. Windows 2000 domain controllers request a new RID when 20 percent of the RID pool remains. Domain controllers in the E-commerce folder or large scale ADMT migration environments can create large numbers of security principals in a short period of time. This may use up their local RID pools more quickly than conventional enterprise deployments.

Problems occur when a domain controller's local RID pool is used up and cannot obtain a new pool from the RID operations master because of problems with itself. The RID operations master, the network, and the domain controller then cannot create additional security principals and stop advertising domain controller services until a new local pool is obtained.

To reduce the chance of this loss of service, administrators can increase the number of RIDs that are allocated by the RID operations master in each pool by adjusting the REG_DWORD RID Block Size value on domain controllers under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\
However, because of a flaw in the RID threshold compare logic, "RID Block Size" values beyond 500 were effectively ignored and reverted back to the default allocation of 500.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values\ RID Block Size (REG_DWORD)

[nitesh mehta]

System properties>advanced>performance>Data execution prevention
Select "turn on DEP for essential windows programs and services only"
Then reboot.
If that doesnt solve it, try running a DCDIAG and tell us if it finds any errors.