1

First some software details: Thin client: Wyse C10LE Citrix -> Windows Terminal Services -> Windows Server 2008 Enterprise desktop

I have a user with a very strange problem. When he locks his screen with Win+L, Windows claims he's entering wrong password when he tries to log back in. The only solution is to hard reboot the WYSE, and log back in. This reboot doesn't kill his Windows session.

I've checked for errors in keyboard settings (wrong layout etc), nothing found. I suspect errors in his profile/errors in AD. No other users in the domain has this problem.

EDIT: Sorry, it's NOT Win R2. Plain Windows Sever 2008

LarsErikP
  • 56
  • 4
  • He's not locking the Thin Client, rather than the server is he? Test this by locking via the Start Menu -> Windows Security. Have you tried connecting from an alternative device (Something completely different) and seeing if the issue is the same. What happens when using RDP to connect? – Dan Nov 06 '12 at 10:15
  • No, he is locking the server. That's for sure. I've recently asked him to try an another device. Waiting for status. He is not able to login via RDP. – LarsErikP Nov 06 '12 at 10:28
  • I'd recommend temporarily giving him access to RDP, just to prove the point. Chances are you can eliminate Citrix from the equation. I'm not familiar with the C10LE - are you using PNAgent, or logging in through the Web Interface? – Dan Nov 06 '12 at 10:32
  • It's not possible to give him access to RDP.. The environment has one PDC, and some other DCs. The log tells me that tis particular users autheticates with one of the DCs (which i presume checks with the PDC). Are there any difference between "cold" logon, and logon from the screen saver, in this context? – LarsErikP Nov 06 '12 at 10:52
  • Why can you not give him access to RDP? To the best of my knowledge, the machine will 'authenticate' locally when unlocking. I don't believe it needs to contact the DC again. So yes, the mechanisms, will be totally different. This feels like one of those really weird errors that'll turn out to be something trivial, rather than some big back end issue. – Dan Nov 06 '12 at 11:08
  • Another suggestion - create a fresh test account and allow the user to log in with that and see if the issue persists. This will rule in or out his particular user account and profile. – Dan Nov 06 '12 at 11:10
  • I do allready know that this problem is just connected to this particular user. There is no other users in the domain, experiencing this.. – LarsErikP Nov 06 '12 at 13:20
  • I know that, but have you got this user to try it under a different account, from his normal machine? He may be doing something peculiar. – Dan Nov 06 '12 at 13:21
  • Also what's your profiling solution? I.e., roaming / mandatory etc? – Dan Nov 06 '12 at 13:25
  • Roaming profiles. I tried an another account on his normal machine. Problem didn't exist. – LarsErikP Nov 06 '12 at 15:18
  • Delete his profile then! Problem solved. – Dan Nov 06 '12 at 15:56
  • Nope. Tried to delete his profile. Still the same problem. – LarsErikP Nov 12 '12 at 08:08
  • Does it happen every time without fail? Have you tried resetting his password in AD? – Dan Nov 12 '12 at 09:12
  • When we reset his password in AD, everything works. But when his password expires, and he is forced to change his password, the error occurs again. Maybe som kind of weird syncing problem? – LarsErikP Nov 12 '12 at 11:11

1 Answers1

1

Unlock settings depends on security policy. This policy is called "Interactive logon: Require Domain Controller authentication to unlock". By default user can unlock the computer using cached credentials. It seems Your user has wrong cashed credentials in his login. You use roaming profiles. The easy way to solve this problem -

  1. backup User data from Roaming profile

  2. remove his profile from server,or just rename his profile folder.

  3. Let user login again

You can remove user profile using powershell

$User = "User SID"
$server = "Myserver"
Get-WmiObject win32_userprofile -filter "SID='$user'" -ComputerName $server | foreach {$_.Delete()}
sl-iwi
  • 11
  • 2
  • We actually tried this today. Same problem with a brand new profile.. And the GPO which forces AD auth to unlock is active for the user. This is getting very weird... – LarsErikP Nov 07 '12 at 14:14