Cannot unlock workstation with ForceUnlockLogon and expired password

Article translations Article translations
Article ID: 329885 - View products that this article applies to.
This article was previously published under Q329885
Expand all | Collapse all

SYMPTOMS

When you try to unlock the computer, you cannot unlock it. Additionally, you may receive an error message that resembles the following:
The password is incorrect. Please retype your password. Letters in passwords must be typed using the correct case.
You may also receive the following message:
Your password has expired. Please change your password at another machine and retry or contact your domain administrator.
Additionally, consider the following scenario in Windows Vista:
  • You enable the following Windows Vista policy:
    Computer Configuration\Administrative Templates\System\Logon: “Hide entry points for fast user switching”
    You enable this policy together with the following Windows Server 2003 policy:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ "Interactive Logon: Require Domain Controller Authentication to unlock workstation”
  • You log on to the domain on a workstation that is running Windows Vista.
  • Your password is expired.
  • You lock the workstation and then try to unlock it.
In this scenario, you cannot unlock the workstation. You receive the following error message:
The password for this account has expired. To change the password, click Cancel, click Switch User and then log on.
Additionally, the Switch User button is unavailable.

CAUSE

This problem may occur if ForceUnlockLogon is enabled on your computer and if either of the following conditions is true:
  • Your password has expired.
  • Your account has the User must change password at next logon setting enabled.
This problem may also occur if ForceUnlockLogon is not enabled, but the computer determines that it has to contact the domain controller to unlock the workstation because it was locked or on standby for an extended time.

WORKAROUND

To work around this problem, use one of the following methods:
  • Log on to another workstation, change your password, and then use the new password to unlock your computer.
  • Have an administrator unlock your computer.

    Note When you have an administrator unlock your computer, your session on your computer is forcibly logged off, and any unsaved work may be lost.
If ForceUnlockLogon is not enabled, and the computer is running Windows Vista, click Start, click Switch User, and then log on as the same user. (You will be prompted to change your password.)

MORE INFORMATION

The ForceUnlockLogon registry entry was introduced in Microsoft Windows NT4.0 Service Pack 4 (SP4) to make sure that an unlock request was sanctioned by a domain controller, and that account lockout was observed. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
188700 Screensaver password works even if account is locked out
281250 Information about unlocking a workstation
These articles discuss Windows XP and Windows NT4.0 however the information also applies to Windows 2000. In Windows NT4.0, the new option can also cause a user account to be locked out prematurely, as incorrect unlock attempts were sent to the domain controller two times.

In Windows 2000, the message that appears for incorrect password entry and eventual account lockout was originally incorrect. See the following article on the post-SP2 hotfix that corrected this problem:
286778 Wrong message appears when the workstation is unlocked with an invalid password
The ForceUnlockLogon registry entry forces the workstation to log on, or authenticate at every unlock attempt instead of using a stored hash of the user's password. For more information about unlocking a workstation, click the following article number to view the article in the Microsoft Knowledge Base:
281250 Information about unlocking a workstation

Properties

Article ID: 329885 - Last Review: April 1, 2009 - Revision: 5.0
APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Starter
  • Windows Vista Ultimate
Keywords: 
kbprb kberrmsg KB329885

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com