none
Unable to unlock computer when connected to the domain network RRS feed

  • Question

  • Hi, we are experiencing this issue lately in our domain and it happens randomly to some of our users where they cannot unlock their computer.

    1. We are sure the user account is not locked in AD and nor password is expired. The user account was successfully used for log in when the computer first turned on but when trying to unlock their computer after locking it, it says "The username or password is incorrect".  
    2. It seems to only happens when the computer is connected to domain network. When we unplug the LAN cable, the computer can be unlocked normally using their account password. But it will happen again when the computer is locked while connected to domain. We have to unplug the LAN cable again and this will keep happening constantly until we restart or force shutdown the computer. 
    3. Even after restarting the computer, things will only go normally for a few times until it then showing the same behavior again.

    Our active directory is using windows 2012 R2 server and never had any of this issue before. Can anyone please help us? Many thanks in advance.


    Monday, April 11, 2016 3:41 AM

Answers

  • I'l suggest you to check event logs for the cause. If this does not helps, try Netlogon logging. These might help : 

    https://support.microsoft.com/en-us/kb/109626

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, April 11, 2016 5:24 AM
    Moderator
  • Hi Arranda Saputra,

    According to your description, it happens randomly to some of our users. We could startup in Clean Boot to avoid the effects of third party software.

    Have you checked the Group Policy setting "Interactive Logon: Require Domain Controller authentication to unlock workstation"? Maybe It could be causing the issue.

    The policy setting can be found here:

    Computer Configuration - Policies - Windows Settings - Security Options. This could be defined in a domain policy or it could be defined by a local policy, an RSOP report would tell you where

    Hope it will be helpful to you.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 12, 2016 11:59 AM
    Moderator
  • Hi everyone, I'm sorry for the late follow up.

    However we have found the solution. This situation is caused by our recently migrated DC from 2003 to 2012R2 and in security policy (Network Security: Configure encryption types allowed for Kerberos) we were only allowing DES_CBC_CRC, DES_CBC_MD5, and RC4_HMAC_MD5. 

    We changed this configuration to allow all types of encryption listed in the options - including the "future encyrption types" option, monitor in about a week and the problem seems to gone away.

    Thank you.

    Tuesday, May 10, 2016 1:48 AM

All replies

  • I'l suggest you to check event logs for the cause. If this does not helps, try Netlogon logging. These might help : 

    https://support.microsoft.com/en-us/kb/109626

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, April 11, 2016 5:24 AM
    Moderator
  • Do the affected users have local accounts with the same login name (but different password) as the corresponding domain accounts?

    Best regards, George

    Monday, April 11, 2016 8:21 AM
  • Hi Arranda Saputra,

    According to your description, it happens randomly to some of our users. We could startup in Clean Boot to avoid the effects of third party software.

    Have you checked the Group Policy setting "Interactive Logon: Require Domain Controller authentication to unlock workstation"? Maybe It could be causing the issue.

    The policy setting can be found here:

    Computer Configuration - Policies - Windows Settings - Security Options. This could be defined in a domain policy or it could be defined by a local policy, an RSOP report would tell you where

    Hope it will be helpful to you.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 12, 2016 11:59 AM
    Moderator
  • Hi everyone, I'm sorry for the late follow up.

    However we have found the solution. This situation is caused by our recently migrated DC from 2003 to 2012R2 and in security policy (Network Security: Configure encryption types allowed for Kerberos) we were only allowing DES_CBC_CRC, DES_CBC_MD5, and RC4_HMAC_MD5. 

    We changed this configuration to allow all types of encryption listed in the options - including the "future encyrption types" option, monitor in about a week and the problem seems to gone away.

    Thank you.

    Tuesday, May 10, 2016 1:48 AM