Re: "Please change your password at another machine"

Let's try this again as there seems to be confusion and we've gathered more
information...

- User logs in and receives a message that their password has expired or
will expire in X number of days.
- User changes password successfully and continues working.
- User leaves computer and after X amount of time the screen-saver locks the
computer.
- User returns and attempts to unlock computer with new credentials.
- User receives a pop-up message:

Computer Locked
Your password has expired. Please change your password at another
machine and retry or contact your domain administrator.

- User calls our help desk and they verify that the client's account is NOT
locked out.
- User tries to authenticate again using the new credentials. Eventually,
the user account will become locked.
- Help desk unlocks account and user tries again. Eventually, the user
account will become locked.
- Help desk unlocks account and changes user's password (on the premise that
the user has actually forgotten new password).
- User attempts to unlock computer using new help desk supplied credentials.
User cannot log in. Eventually, the user account will become locked.
- Help desk remotely forces the logout or has the user hard reboot the system.
- User attempts to unlock computer using new credentials - successful login.

- When the user attempts to log in the Security Event log on the computer
shows the standard 529 (Unknown user name or bad password) and 539 (Account
locked out) events that one would expect from a user providing incorrect
authentication credentials. The domain controller's Security Event log shows
an audit success 642 (User account changed) event from the initial password
change, a subsequent success audit 680 (successful login) event, 3 audit
failures 675 (pre-authentication failure User Name: <UserName>, UserID <GUID
of UserName account>), then a success audit 644 (User account locked out).

- Our organization uses local profiles, we verified that the user was not
logged on anywhere else, the client was not mapping any drives with alternate
credentials, we are able to ping\map to\remote control the user's computer,
we do not allow users to store user names and passwords. This seems to happen
sporadically and does not always affect the same users. We have been unable
to duplicate the problem with test user accounts.


"Bob I" wrote:

It seems you have intentionally configured your systems so that if
communication is lost / interrupted to the PC, users can't authenticate
to the domain to unlock. If you insist on making sure that is the
situation remains that way, then there isn't much I can suggest.

D. Harrison wrote:

That is NOT a solution. It's not even a good workaround. What we need is a
direct causal link - we need to know what generates this message and under
what conditions. Someone at Microsoft should know where this message comes
from.


"Bob I" wrote:


Then the only option I see remaining is log off the user instead on
locking the PC.

D. Harrison wrote:

Until there's a solution, the situation won't change. The reason that we have
caching disabled is that it was causing lockout issues with users who log on
to multiple computers. As a result, we will not be enabling that again.

As for Power Saving, we don't forsee turning this back on any time in the
future.


"Bob I" wrote:



Has the situation changed? I would turn the caching on, and leave power
saving Off.

D. Harrison wrote:



Caching has been disabled and we've turned off Power Saving on system devices.

"Bob I" wrote:




Is the caching the users passwords disabled on the PCs in question? And
is perhaps the NIC being turned off by the operating system when the PC
is locked?

D. Harrison wrote:




Users in a domain lock their computers. When they return and attempt to
unlock the computer they are unable. We have confirmed that the user account
is not locked. After resetting the user's password they receive the following
message when they attempt to unlock the computer:

"Please change your password at another machine and retry or contact your
Domain Administrator".

Users are not allowed back into the computer. Our only workaround has been
to reboot the computer. Once the system has been rebooted the users can log
in.





.

Relevant Pages

  • Re: Account is locked out
    ... also be that they have mapped a drive using their old credentials. ... > I have a user account that keeps locking out and every ... > time I unlock it I find it locked out again and don't know ...
    (microsoft.public.win2000.security)
  • Re: unlocking a user account
    ... > found a script that allow to detemine locked user account. ... > I want to unlock these user via script... ... The program called "Is User Locked" checks if a given user account is ...
    (microsoft.public.windows.server.scripting)
  • Re: Auto-login, but with a twist - possible?
    ... have to type in the password to unlock the mouse and keyboard. ... it my profile and desktop etc is fully loaded but I have to enter my XP ... user account password to unlock it. ... fairly long hibernation procedure! ...
    (microsoft.public.windowsxp.customize)
  • HOW 2 UNLOCK ACCOUNT
    ... unlock a user account on my XP pro stand-alone machine? ... The help file says I can go on to the advanced tab under ...
    (microsoft.public.windowsxp.security_admin)
  • account lockout greyd out
    ... in my AD under any user's properties under profile, the ability to lock or ... unlock a user account is greyed out... ... i'm wondering what is causing this... ...
    (microsoft.public.win2000.active_directory)