none
Unlocking docked laptop presents "Logon failure: user account restriction." RRS feed

  • Question

  • The problem we are seeing is with some screen locked laptops placed in a docking station.  Our security policy has the machine locking after 'x' minutes of inactivity and when they try to unlock the machine they are met with the error:

    Logon failure: user account restriction. 
    Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.

    Should they undock then they can log into the laptop without the error, then re-dock and resume normal operations.  Not an ideal solution, but at least a work around.

    This does not occur with all laptops, and have never had it occur on a desktop.  I am struggling to find an answer to why this is occurring.

    I have tried the following things that Google says worked for others, but none have provided a solution:

    - “Accounts: Limit local account use of blank passwords to console logon only”  set in Group Policy

    - reset local administrator account password

    - ensure both user and computer AD account is not set for logon hours restrictions

    If anyone has a suggestion or solution that worked for them then I would greatly appreciate if you could share

    Thursday, March 10, 2016 9:58 PM

All replies

  • perform the following steps on the remote computer :
      • Open Local Group Policy Editor by typing gpedit.msc in Start Search box and hit Enter.
      • Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options branch.
      • Locate and double click on Accounts: Limit local account use of blank passwords to console logon only option.
      • Select the radio button for Disabled to allow user account with blank (or no password) for remote login.
    • Click OK.

    For user on system without Local Group Policy Editor, follow the Registry Editor alternative:

    1. Run Registry Editor (RegEdit).
    2. Navigate to the following registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\

    3. Double click on LimitBlankPasswordUse registry value name, and set its value data from 1 to 0.
    4. Close Registry Editor.

    S.Sengupta, Windows Experience MVP

    Friday, March 11, 2016 12:06 AM
  • Hi Greg-R,

    If the issue persists, please try to re-add the machine to the domain to have a test.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 11, 2016 3:19 AM
    Moderator
  • perform the following steps on the remote computer :
      • Open Local Group Policy Editor by typing gpedit.msc in Start Search box and hit Enter.
      • Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options branch.
      • Locate and double click on Accounts: Limit local account use of blank passwords to console logon only option.
      • Select the radio button for Disabled to allow user account with blank (or no password) for remote login.
    • Click OK.

    For user on system without Local Group Policy Editor, follow the Registry Editor alternative:

    1. Run Registry Editor (RegEdit).
    2. Navigate to the following registry key:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\

    3. Double click on LimitBlankPasswordUse registry value name, and set its value data from 1 to 0.
    4. Close Registry Editor.

    S.Sengupta, Windows Experience MVP

    My original post already mentioned that this GPO/registry setting has been tried with no change in the results.
    Friday, March 11, 2016 3:52 PM
  • Hi Greg-R,

    If the issue persists, please try to re-add the machine to the domain to have a test.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    I have disjoined/rejoined one of the machines to the domain and the issue remains.
    Friday, March 11, 2016 5:27 PM
  • Hi Greg-R,

    I noticed you have configured the GPO, have you checked the registry keys` configuration and ensure it has been configured correctly?

    Did the issue occur when the machine is out of the domain? Did the other users work well when the issue occurred? Are there any related error messages recorded in the Event Viewer?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 14, 2016 1:54 AM
    Moderator
  • Hi Greg-R,

    I noticed you have configured the GPO, have you checked the registry keys` configuration and ensure it has been configured correctly?

    Did the issue occur when the machine is out of the domain? Did the other users work well when the issue occurred? Are there any related error messages recorded in the Event Viewer?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    I have confirmed the registry has the settings applied correctly.

    I have not tested it while removed from the domain as it is not easy to replicate on another machine that no end user is actively working on.  With that, I do not see any events in the logs that provide any information related to the issue.

    When the issue occurs it is isolated only to a few of the many laptops we have in service.  The only option we have is disabling the NIC/Wifi and getting them to unlock in cached mode.  After that they can re-enable the NIC/Wifi and continue working.

    Monday, March 14, 2016 6:46 PM
  • Hi Greg-R,

    Are all the machines the same model? Are they up to date?

    "The only option we have is disabling the NIC/Wifi and getting them to unlock in cached mode."
    As far as I know, the undocking feature is related to the Advanced Configuration and Power Interface(usually it is related to the driver). Based your situation, I suspect there is something wrong with the network adapters` driver.
    Please try to disable the powersaving feature of the network adapter from the device manager. It is recommended to download the latest network adapter`s driver from the device manufacturer website.
    Here is a link for reference of the "Undock" feature.
    Undock a Portable Computer
    https://technet.microsoft.com/en-us/library/cc754084.aspx?f=255&MSPPError=-2147217396

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, March 15, 2016 5:37 AM
    Moderator
  • Hi Greg-R,

    Are all the machines the same model? Are they up to date?

    "The only option we have is disabling the NIC/Wifi and getting them to unlock in cached mode."
    As far as I know, the undocking feature is related to the Advanced Configuration and Power Interface(usually it is related to the driver). Based your situation, I suspect there is something wrong with the network adapters` driver.
    Please try to disable the powersaving feature of the network adapter from the device manager. It is recommended to download the latest network adapter`s driver from the device manufacturer website.
    Here is a link for reference of the "Undock" feature.
    Undock a Portable Computer
    https://technet.microsoft.com/en-us/library/cc754084.aspx?f=255&MSPPError=-2147217396

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    The network drivers are provided by Lenovo and are at the most current version.  Every deployed laptop runs the same version yet only few of those dozen exhibit this issue.  I will revert to trying to the hardware vendor driver instead to see if that makes any difference.
    Power saving is the first thing disabled after the network adapter is installed.

    Tuesday, March 15, 2016 3:11 PM
  • Hi Greg-R,

    I am looking forward to your good news.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 16, 2016 2:23 AM
    Moderator
  • Hi Greg-R,

    I am looking forward to your good news.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Apologies for the delays in updating this thread.  I installed the Intel drivers for both the AC-7620 and the I217-LM and sent the user off a few weeks ago.  However, the issue persists when they are docked and locked.

    Again, this only happens to a couple laptop users - 1 Lenovo W530 and 2 Lenovo W540 out of 60 total.  All deployed laptops are built ground-up and use the same base image.  I've tried swapping out docking stations, but that too hasn't resolved the issue.

    Thursday, April 28, 2016 4:41 PM
  • Hi Greg-R,

    I am looking forward to your good news.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Apologies for the delays in updating this thread.  I installed the Intel drivers for both the AC-7620 and the I217-LM and sent the user off a few weeks ago.  However, the issue persists when they are docked and locked.

    Again, this only happens to a couple laptop users - 1 Lenovo W530 and 2 Lenovo W540 out of 60 total.  All deployed laptops are built ground-up and use the same base image.  I've tried swapping out docking stations, but that too hasn't resolved the issue.

    I've done a bit more digging into the docking station angle.  Although from last year, they do have a firmware update for the docking station that I hope will resolve the issue.  Once applied to the affected laptop I will update this thread
    Thursday, April 28, 2016 9:13 PM
  • So, I've attempted installing the firmware update from Lenovo.  However, that tells me that I already have a newer version installed.

    Back to square one ....

    Monday, May 2, 2016 7:54 PM