Let's try this again as there seems to be confusion and we've gathered more
information...
- User logs in and receives a message that their password has expired or
will expire in X number of days.
- User changes password successfully and continues working.
- User leaves computer and after X amount of time the screen-saver locks the
computer.
- User returns and attempts to unlock computer with new credentials.
- User receives a pop-up message:
Computer Locked
Your password has expired. Please change your password at another
machine and retry or contact your domain administrator.
- User calls our help desk and they verify that the client's account is NOT
locked out.
- User tries to authenticate again using the new credentials. Eventually,
the user account will become locked.
- Help desk unlocks account and user tries again. Eventually, the user
account will become locked.
- Help desk unlocks account and changes user's password (on the premise that
the user has actually forgotten new password).
- User attempts to unlock computer using new help desk supplied credentials.
User cannot log in. Eventually, the user account will become locked.
- Help desk remotely forces the logout or has the user hard reboot the system.
- User attempts to unlock computer using new credentials - successful login.
- When the user attempts to log in the Security Event log on the computer
shows the standard 529 (Unknown user name or bad password) and 539 (Account
locked out) events that one would expect from a user providing incorrect
authentication credentials. The domain controller's Security Event log shows
an audit success 642 (User account changed) event from the initial password
change, a subsequent success audit 680 (successful login) event, 3 audit
failures 675 (pre-authentication failure User Name: <UserName>, UserID <GUID
of UserName account>), then a success audit 644 (User account locked out).
- Our organization uses local profiles, we verified that the user was not
logged on anywhere else, the client was not mapping any drives with alternate
credentials, we are able to ping\map to\remote control the user's computer,
we do not allow users to store user names and passwords. This seems to happen
sporadically and does not always affect the same users. We have been unable
to duplicate the problem with test user accounts.