Cannot unlock workstation with ForceUnlockLogon and expired password

Applies to: Microsoft Windows XP ProfessionalWindows Server 2008 Datacenter without Hyper-VWindows Server 2008 Enterprise without Hyper-V


When you try to unlock the computer, you cannot unlock it. Additionally, you may receive an error message that resembles the following:
The password is incorrect. Please retype your password. Letters in passwords must be typed using the correct case.
You may also receive the following message:
Your password has expired. Please change your password at another machine and retry or contact your domain administrator.
Additionally, consider the following scenario in Windows Vista:
  • You enable the following Windows Vista policy:
    Computer Configuration\Administrative Templates\System\Logon: “Hide entry points for fast user switching”
    You enable this policy together with the following Windows Server 2003 policy:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ "Interactive Logon: Require Domain Controller Authentication to unlock workstation”
  • You log on to the domain on a workstation that is running Windows Vista.
  • Your password is expired.
  • You lock the workstation and then try to unlock it.
In this scenario, you cannot unlock the workstation. You receive the following error message:
The password for this account has expired. To change the password, click Cancel, click Switch User and then log on.
Additionally, the Switch User button is unavailable.


This problem may occur if ForceUnlockLogon is enabled on your computer and if either of the following conditions is true:
  • Your password has expired.
  • Your account has the User must change password at next logon setting enabled.
This problem may also occur if ForceUnlockLogon is not enabled, but the computer determines that it has to contact the domain controller to unlock the workstation because it was locked or on standby for an extended time.


To work around this problem, use one of the following methods:
  • Log on to another workstation, change your password, and then use the new password to unlock your computer.
  • Have an administrator unlock your computer.

    Note When you have an administrator unlock your computer, your session on your computer is forcibly logged off, and any unsaved work may be lost.
If ForceUnlockLogon is not enabled, and the computer is running Windows Vista, click Start, click Switch User, and then log on as the same user. (You will be prompted to change your password.)

More Information

The ForceUnlockLogon registry entry was introduced in Microsoft Windows NT4.0 Service Pack 4 (SP4) to make sure that an unlock request was sanctioned by a domain controller, and that account lockout was observed.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

188700 Screensaver password works even if account is locked out

281250 Information about unlocking a workstation

These articles discuss Windows XP and Windows NT4.0 however the information also applies to Windows 2000. In Windows NT4.0, the new option can also cause a user account to be locked out prematurely, as incorrect unlock attempts were sent to the domain controller two times.

In Windows 2000, the message that appears for incorrect password entry and eventual account lockout was originally incorrect. See the following article on the post-SP2 hotfix that corrected this problem:
286778 Wrong message appears when the workstation is unlocked with an invalid password

The ForceUnlockLogon registry entry forces the workstation to log on, or authenticate at every unlock attempt instead of using a stored hash of the user's password.
For more information about unlocking a workstation, click the following article number to view the article in the Microsoft Knowledge Base:

281250 Information about unlocking a workstation