Access Denied--Handling Console Unlocks in Win2K

I'm experiencing a problem with some Windows 2000 clients. When users log on to a domain, a message appears stating that their password will expire in a certain number of days and asking whether they want to change the password immediately. If users cancel the message, it pops up again the next time they log on, as you would expect. If users change their passwords, the next time they unlock their workstations (after the unattended workstations have locked automatically), the same message appears, even though they've just changed their passwords. (At that point, because account policy lets users change their passwords only once every 7 days, they can't change passwords again.) However, if users log off and log on again right after they change their passwords, the message doesn't appear. Why does logging off and then on after changing the password solve the problem?

Internally, Win2K treats console unlocks (i.e., using Ctrl+Alt+Del) as logons. In fact, Win2K logs event ID 528 (successful logon) whenever users unlock their workstations. The specific logon type that's reported in the details of event ID 528 in this scenario is 7. The Win2K function that handles console unlocks misses the fact that users have already changed their password; therefore, Win2K displays the message. Until Microsoft fixes the problem, notify users to ignore the prompt to change passwords when they unlock their workstations.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.