Skip navigation

NT Gatekeeper: Forcing a True Logon When Unlocking the NT 4.0 Screen

When Windows NT 4.0 users lock and unlock their workstations, the system compares their credentials against the locally cached credentials. If, in the meantime, the domain administrator changes an account password, the workstation's lock-unlock logic doesn't detect the change. Can we use lock-unlock logic to validate a user's credentials against the domain database instead of using the locally cached credentials?

To change this behavior, add the ForceUnlockLogon value of type REG_DWORD to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey and set it to 1. This change will make the workstation perform a full logon when the screen is unlocked. You must restart the system for the change to take effect. This registry hack works only on NT 4.0 Service Pack 4 (SP4) or later. For a more detailed explanation, see the Microsoft article "Screensaver Password Works Even if Account Is Locked Out" (http://support.microsoft.com/?kbid=188700).

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish