Information about unlocking a workstation


This article describes the behaviors to expect when you attempt to unlock a locked workstation.

Note This behavior only happens when you have Fast User Switching disabled. (When you join a Windows XP Professional computer to a domain, the Welcome Screen logon (and Fast User Switching) is disabled.)

More Information

You can unlock a workstation either manually or by means of a program (for example, by using a screen saver). When the workstation is locked and you attempt to unlock it, you can observe standard expected behaviors from the unlocking process.

When a user logs on to a computer, the Winlogon Service stores a hash of the user's password for future unlock attempts. When the user attempts to unlock the workstation, this stored copy of the password is verified. If the password entered at the unlock dialog request and stored hash match, the workstation is unlocked. If the password entered does not match the stored hash, the workstation attempts to logon (authenticate the password). If the logon process succeeds, the local hash is updated with the new password. If the logon process is unsuccessful, the unlock process is also unsuccessful.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

The preceding process has been designed to limit network traffic generated by the workstation. However, if more stringent behavior is needed, there is a registry entry to force the workstation to logon (authenticate) at every unlock attempt. The following registry setting is received every time the computer is locked:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
0 - Do not force authentication inline (default)
1 - Require online authentication to unlock

The preceding value controls whether a full logon is performed during the unlock process. This can force a validation at the domain controller for the user attempting the unlock process.

Note If the value is not present, it functions as if it had been set to 0 (zero).

For more information about the ForceUnlockLogon registry value, click the following article numbers to view the articles in the Microsoft Knowledge Base:

188700 Screensaver password works even if account is locked out


Article ID: 281250 - Last Review: Oct 23, 2008 - Revision: 1