A ticket comes in stating that a password has not been changed. This is the first place to look, as it will tell you where else to look.


Go to and log in.

Once in, click on Log Checking.

Working from left to right:

  • You need to select the table: use either SPSR or SPSP. If one doesn't return the results you expected, try the other.
    • SPSR will tell you if we received the new password.
    • SPSP will tell you what our system did with it after. Use this first as it gives more information.
  • Set the date range. Always set it an hour or two before the customer said they did it, and a couple of hours after, just to cover any differences in their computer time and delays in the system.
  • The other boxes are how you search. Feel free to use any, but the one that will return the best results is the Tenancy ID.
    • To find the Tenancy ID: you need to go to, log in, type the company name into the search box in the top-right to search for them, then click onto Applications on the left. In here click on any of the programs and scroll to the bottom. There is a small box just after the Tenancy ID. Clicking on that will copy the Tenancy ID without having to highlight it (The same can be done for the GUID).

After that just click search. When it comes up with the results, you need to filter them using the details you have. The usual detail you will have is their email or name. Usually this will suffice to find them, so find the column titled UserGUID and click on the down-arrow to the right of it. This will bring up a menu.

Change the first drop-down box from Is Equal To, to Contains, which means you do not need the exact GUID, and type in their surname, or the first part of the email address (before the @). Press Filter to see the results. If there is no results we will need to find the exact GUID.

Finding the Exact GUID

The easiest way is to find the user on Find the company using the search in the top-right, then find the user in question under Cloud Vault > Users. Click on the user's name, and their sAMAccountName will be listed just below their emai address. That is the UserGUID.

If you cannot find the user on there, open Royal TS and search for SQL9 in Navigation, then open it, choosing either the EU or US one depending on the customer.

Search the Connector Space first by selecting IAC-<EU or US>-CONNECTORSPACE. Right-click on it, and select New Query. That will open a tab on the right.

This tab is where you type your SQL queries. In this situation you need the query:

select [samaccountname], [pwdlastset], * from [dbo].[<tenancyID>_objects] where mail = '<email address>'

If you don't have the email address, you can change mail to something else, like DisplayName. You can also change the = to like, and it will find any results that have what you put between the ' ' anywhere in the mail address, but you will have to include a % before and after what you type or it will find no results..

There should only be one result, so confirm it is the correct one using the other details that you know and copy the samaccountname. You can also check the pwdlastset to see when the password last set, if it is not when they say they reset it, then you know there is going to be an issue.

Once you have the samaccountname, put that into the box for the UserGUID above, and press Filter.


Usually you will find some entries for that user. You will want to look at Log Message to find out what is going on. There are many different possible messages, but if the newest one says Success on sending to CDC, then the password was set, but there is another problem.

Here are some possible results

  • User not in MetaDB
  • User not in CS
Failed on sending to CDC.

If there is any other reason given, and you cannot see a solution here, then ask for help.

No Results

If there are no results for that user:

Confirm what time they reset the password, and make sure you are including that time in the search, and at least a couple of hours either side.
  • Confirm that you have the correct user, asking the customer to confirm the samaccount name if neccessary.
  • Check the when the connector space records that the user's password was last set and compare it to when the customer said it was set.
    • To do this, open Royal TS and search for Fim5 or SQL9 in Navigation, then open it, choosing either the EU or US one depending on the customer.
    • Search the Connector Space first by selecting IAC-<EU or US>-CONNECTORSPACE. Right-click on it, and select New Query. That will open a tab on the right.

    • This tab is where you type your SQL queries. In this situation you need the query:

      • select [pwdlastset], * from [dbo].[<tenancyID>_objects] where mail = '<email address>'

    • If you don't have the email address, you can change mail to some else, like Name. You can also change the = to like, and it will find any results that have what you put between the ' ' anywhere in the mail address as long as you include a % before and after what you type.
  • Check the customer's CDC if they have one.
It is only old-world customers; those that are not on Fim1.
    • Open Royal TS and search for the company name, or the company's c0 number (viewable on Freshdesk). That should return two different servers: DC1 and DC2. Open DC2.
    • Once connected, you need Active Direcy Users and Computers, which will either be open already and look like a book on the taskbar, or will be in the start menu.
    • The location of the users tends to be one of two places: either IAC_Infrastructure, or a folder with the customer's C0 number (which is viewable in the server's name, e.g. WEU-<C0 number>-DC2.).
    • The easiest way to find a user is to go to View > Filter Options on that program and click on Customize.
      • If there is already a custom search in the Condition List, double-click it to edit. Make sure it says E-Mail address in the field (use the drop-down box to change it if not). Chose the Condition; these allow you to search with part of the email address, or find all users who don't have an email address, etc. Is (Exactly) should be used if you know the address, Starts With if you only know part of it. Change the Value to the email or other detail that you know that is in their email.
      • If there is not already one in there: create it the same way as above.
    • Now look in the two folders mentioned above. You are looking for an entry with the type User.
      • If you cannot find it: look in the other folders as well, and if you still cannot find it, then ask for help.
    • When you find the user, double-click on them to open the properties, and go to the Attribute Editor tab to check the pwdlastset.
      • If you cannot see the Attribute Editor tab, then close the properties, go to View and click on Advanced Features to tick it., then open the properties again.

If the pwd last set is not when you would expect to see, ask the customer to reset it again, giving you the time they reset it and repeat the checks. If it is still not showing, then there may be a problem with their SPS and that usually requires a TeamViewer session to diagnose. If the reset comes through this time, then follow the steps above for result.

If everything looks fine, then you'll have to investigate further.

User not in CS

If the logs state that the user is not in the CS, then we have not received the user as yet. Run a Delta Sync for the customer by going onto their FIM (1 or 5, EU or US) and opening Task Scheduler, it should already be open and has a clock icon. Find the customer in the list of tasks in the Task Scheduler Library which is on the left. Right-click on the customer and select run.

Once that has completed the user should be in the CS, so ask the customer to reset the password again.

Should the user still not be in the CS after the sync, ask the customer to ensure the user is in the Synced Users folder, or a sub-folder to that, in their AD. If it is, then there may be an issue with their SPS which we would need to investigate using TeamViewer.

User Not in MetaDB

If the log states that the user is not in MetaDB, and the customer is old-world, then we'll need to run a script.

First: the easiest way to confirm if the customer is old-world is to type their name into your search in RoyalTS. If it comes up with some DCs then they are old world. Go onto their DC2. If no DCs come up, or when you try to access DC2 it tells you that the computer no longer exists, then check on FIM1 for their region: they should appear in the Task Scheduler / FIM Management Agents lists.

Old World

Once DC2 is open, go to C:\IAMCloud\MetaDB\ and run the MetaDBUpdate.ps1 by dragging it onto a PowerShell window. Once you press enter it will work through the script automatically. Once complete you can check the list of users to make sure the one you want was added, or if the list is long, then search MetaDB by going to Fim5 or SQL9 for the customer's region and doing a new query on IAC-<EU or US>-ENGINE and entering:

select mail,* from [dbo].[metadb-sv] where mail = '<email>'

Or change the mail to whatever is appropriate. You can use Like with % same as before. If any results come up, check the other details to make sure it is for the right customer. If so, then the script worked and you can ask the customer to reset the user's password again. If not, then you'll need to check the script for any errors for that user.  if no errors, then find the user in the CS as above, and check their details against the classification rules on portal by going to the portal, into Cloud Vault > Classifications and clicking on each classification to see the rules. If you are not sure which fields to check for the classifications, then ask for help.

Should the user not meet any of the classification rules, or the customer has a lot of classifications, then ask the customer to check the user their end to see if they are meeting all the classification rules. Should the user meet classification rules, then further investigation will be required, so ask for help.

New World

First search for the user by going to FIM and go the Metaverse Search tab. Double-click in the Attribute box to choose which attribute to search by: samaccountname, email, etc.. Change the Operator to something appropriate: Equals is an exact match, contains is if it has what you enter in the field at all (no wildcard symbols are required), starts with and ends with are self-explanitory, and the other two are simply checking if the chosen attribute is there or not. Fill the value in with what you are searching for. Press the Search button on the right. Results should appear in the bottom window. Should nothing appear, then you will need to search using different criteria.

When results are found, you will need to select the right one: you can click on Column Settings on the right side to display different columns to make it easier to identify, mail / samaccountname tend to be the most useful, but feel free to add any that will help. Double-click on the right user and go into the Connectors tab. There should be three connectors for most users: MetaDB, CDC, and the MA,  though sometimes they have different names. Occassionally you may see users with more. Usually in this situation, the metadb one will be missing, which is covered below. If it is there: click on the metaDB one (or all three if you are not sure which is the meta-db) and the Changes column should say either None, Update, or Add. If None, then ask for help. If Update or Add, then click on Preview at the bottom, leave it on Full Synchonisation, and click Generate Preview. If the preview was successful, then click on Commit Preview and wait a couple of minutes. If the preview was not successful, then click on the error in the list on the left and if you are not sure how to resolve it, then ask for help. There are too many possible issues to cover here.

If the user is missing any of the connectors, particularly the metadb one, then go to the Joiner tab. You will need to find MetaDB in the Management Agent box. You can get that by going to the customer's entry on the Management Agent tab. Ensure that All Disconnector Types is selected, then click search. The CloudAnchor will be a number after a type, you will be looking for User in the type. You can use the Column Settings on the right to add columns to make finding the entry for your user easier to find. Should the user not come up, then ask for help.

Once you have found the user in the list, then click on Configure Search Filters at the bottom. Click on Add, then fill in the boxes. Name is just how it will show in the list. When you have chosen the Metaverse Attribute, then make sure you change it from Datasource Attribute to Constant String. This will enable you to search as you did on the Metaverse Search tab. Add it and press OK. Go back to the Joiner tab and select your newly created search from the list and press Aply Filter. It will display results in the box below, so find the user in there again, using column settings to help again if needed. Once you have found the user in both, then click on them both and press the Join button. It will ask you to confirm. After joining, run a delta sync using task scheduler as before, then ask the customer to reset the password again. Ask for help if it doesn't allow you to join them.

Failed on Sending to CDC

In this case it is usually a good idea to ask the customer to reset the password again: most of the time this is a temporary error, but if it fails again, then you'll need to check that the IAMCloud Directory Application on portal ConnectsTo the correct CDC, though if not it will usually affect all their users. If it does, and the CDC isn't down, then