"Please change your password at another machine"

[Guest]

Users in a domain lock their computers. When they return and attempt to
unlock the computer they are unable. We have confirmed that the user account
is not locked. After resetting the user's password they receive the following
message when they attempt to unlock the computer:

"Please change your password at another machine and retry or contact your
Domain Administrator".

Users are not allowed back into the computer. Our only workaround has been
to reboot the computer. Once the system has been rebooted the users can log
in.

 

[Bob I]

Is the caching the users passwords disabled on the PCs in question? And
is perhaps the NIC being turned off by the operating system when the PC
is locked?

 

[Guest]

Caching has been disabled and we've turned off Power Saving on system devices.

 

[Bob I]

Has the situation changed? I would turn the caching on, and leave power
saving Off.

 

[Guest]

Until there's a solution, the situation won't change. The reason that we have
caching disabled is that it was causing lockout issues with users who log on
to multiple computers. As a result, we will not be enabling that again.

As for Power Saving, we don't forsee turning this back on any time in the
future.

 

[Bob I]

Then the only option I see remaining is log off the user instead on
locking the PC.

 

[Guest]

That is NOT a solution. It's not even a good workaround. What we need is a
direct causal link - we need to know what generates this message and under
what conditions. Someone at Microsoft should know where this message comes
from.

 

[Rock]

That is NOT a solution. It's not even a good workaround. What we need is a
direct causal link - we need to know what generates this message and under
what conditions. Someone at Microsoft should know where this message comes
from.

FYI, you're not talking to MS here. This is a peer to peer support
newsgroup. Occasionally an MS employee will post here but on their own
time. If you want MS tech support contact them through the normal channels.

 

[Guest]

I understand that this is a peer support forum. I was suggesting that
somewhere in all of Microsoft's universe, this specific message should be
documented. I was hoping I could find someone who knows where that
information is. Thanks for your valuable contribution.

 

[Bob I]

It seems you have intentionally configured your systems so that if
communication is lost / interrupted to the PC, users can't authenticate
to the domain to unlock. If you insist on making sure that is the
situation remains that way, then there isn't much I can suggest.

 

[Rock]

I understand that this is a peer support forum. I was suggesting that
somewhere in all of Microsoft's universe, this specific message should be
documented. I was hoping I could find someone who knows where that
information is. Thanks for your valuable contribution.

You're welcome. Try a different part of the universe. Here you go.

http://support.microsoft.com/gp/contactbug

http://support.microsoft.com/contactus/?WS=Wish

https://support.microsoft.com/commo...m/results.aspx?mkt=en-US&setlang=en-US&q=wish

And lastly, (e-mail address removed)

 

[Guest]

Let's try this again as there seems to be confusion and we've gathered more
information...

- User logs in and receives a message that their password has expired or
will expire in X number of days.
- User changes password successfully and continues working.
- User leaves computer and after X amount of time the screen-saver locks the
computer.
- User returns and attempts to unlock computer with new credentials.
- User receives a pop-up message:

Computer Locked
Your password has expired. Please change your password at another
machine and retry or contact your domain administrator.

- User calls our help desk and they verify that the client's account is NOT
locked out.
- User tries to authenticate again using the new credentials. Eventually,
the user account will become locked.
- Help desk unlocks account and user tries again. Eventually, the user
account will become locked.
- Help desk unlocks account and changes user's password (on the premise that
the user has actually forgotten new password).
- User attempts to unlock computer using new help desk supplied credentials.
User cannot log in. Eventually, the user account will become locked.
- Help desk remotely forces the logout or has the user hard reboot the system.
- User attempts to unlock computer using new credentials - successful login.

- When the user attempts to log in the Security Event log on the computer
shows the standard 529 (Unknown user name or bad password) and 539 (Account
locked out) events that one would expect from a user providing incorrect
authentication credentials. The domain controller's Security Event log shows
an audit success 642 (User account changed) event from the initial password
change, a subsequent success audit 680 (successful login) event, 3 audit
failures 675 (pre-authentication failure User Name: <UserName>, UserID <GUID
of UserName account>), then a success audit 644 (User account locked out).

- Our organization uses local profiles, we verified that the user was not
logged on anywhere else, the client was not mapping any drives with alternate
credentials, we are able to ping\map to\remote control the user's computer,
we do not allow users to store user names and passwords. This seems to happen
sporadically and does not always affect the same users. We have been unable
to duplicate the problem with test user accounts.