Cannot unlock workstation with ForceUnlockLogon and expired password
This article was previously published under Q329885
When you try to unlock the computer, you cannot unlock it. Additionally, you may receive an error message that resembles the following:
The password is incorrect. Please retype your password. Letters in passwords must be typed using the correct case.You may also receive the following message:
Your password has expired. Please change your password at another machine and retry or contact your domain administrator.Additionally, consider the following scenario in Windows Vista:
- You enable the following Windows Vista policy: Computer Configuration\Administrative Templates\System\Logon: “Hide entry points for fast user switching”You enable this policy together with the following Windows Server 2003 policy:Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ "Interactive Logon: Require Domain Controller Authentication to unlock workstation”
- You log on to the domain on a workstation that is running Windows Vista.
- Your password is expired.
- You lock the workstation and then try to unlock it.
The password for this account has expired. To change the password, click Cancel, click Switch User and then log on.Additionally, the Switch User button is unavailable.
This problem may occur if ForceUnlockLogon is enabled on your computer and if either of the following conditions is true:
- Your password has expired.
- Your account has the User must change password at next logon setting enabled.
To work around this problem, use one of the following methods:
- Log on to another workstation, change your password, and then use the new password to unlock your computer.
- Have an administrator unlock your computer.
Note When you have an administrator unlock your computer, your session on your computer is forcibly logged off, and any unsaved work may be lost.
The ForceUnlockLogon registry entry was introduced in Microsoft Windows NT4.0 Service Pack 4 (SP4) to make sure that an unlock request was sanctioned by a domain controller, and that account lockout was observed. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
188700 Screensaver password works even if account is locked out
281250 Information about unlocking a workstationThese articles discuss Windows XP and Windows NT4.0 however the information also applies to Windows 2000. In Windows NT4.0, the new option can also cause a user account to be locked out prematurely, as incorrect unlock attempts were sent to the domain controller two times.
In Windows 2000, the message that appears for incorrect password entry and eventual account lockout was originally incorrect. See the following article on the post-SP2 hotfix that corrected this problem:
286778 Wrong message appears when the workstation is unlocked with an invalid passwordThe ForceUnlockLogon registry entry forces the workstation to log on, or authenticate at every unlock attempt instead of using a stored hash of the user's password. For more information about unlocking a workstation, click the following article number to view the article in the Microsoft Knowledge Base:
281250 Information about unlocking a workstation
Article ID: 329885 - Last Review: 04/01/2009 23:15:36 - Revision: 5.0
Microsoft Windows XP Professional, Microsoft Windows 2000 Professional Edition, Microsoft Windows NT Workstation 4.0 Developer Edition, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Standard without Hyper-V, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Vista Business, Windows Vista Enterprise, Windows Vista Home Basic, Windows Vista Home Premium, Windows Vista Starter, Windows Vista Ultimate
- kbprb kberrmsg KB329885