Windows 2000 Pro user cannot logon

[SBarrie]

We occasionally have problems where a new user on a particular PC cannot log onto the Windows 2000 domain. It comes up with an error indicating the user and password is not recognised. But the PC is connected to the network, other users can logon to the domain on that machine, and the user's ID and password work on other PCs. As soon as the user's domain password is changed by an administrator the logon works, but it is not that the user was using the wrong password since they could log on to other PCs and access the domain.

There seems to be no pattern to this. When it happens the user's password has not just been changed, nor is it close to expiry. Why does the domain controller not recognise a valid ID and password until the password is reset?

 

[hkunnana]

It looks like an Active Dirctory replication problem.(that if you have more than one DC)
I had similar case where the affected user when quering the DNS for the domain got the address of a DC that didn't replicate the Active directory after the account was created (either because of replication problem, or replication delay).

After creating a new user account, or changing any thing in the AD, check to see if the changes were replicated. If not, then you know where to look for.

 

[SBarrie]

I do have more than one DC but this problem does not affect newly-created users. Users who have been logging on to other PCs without any problems suddenly are not validated on a particular machine. It is not even necessarily a new computer account which is the problem. The PC seems to have problems validating the user ID.

 

[hkunnana]

So what kind of error message you get when trying to logon
something like :
* Domain not reachble
* User account doesn't exist
* wrong pass
* you don't have the right to logon from this workstation
...

 

[GlenJohnson]

I think hkunnana is close to the mark. The next time that happens, do a manual replication between the dc's and try again. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"For last year's words belong to last year's language".
T. S. Eliot (1888-1965), Anglo-American poet.

 

[SBarrie]

I can't remember the exact error message. It is something about not being able to log onto the domain, and it says to check the user name and password are correct. It is not very specific and I know the domain, user and password entered are all correct.

The PC does not seem to be attempting to validate the logon with the domain controller. Using previous passwords does not work, so it is not that the case that a DC has not updated. This is a user who has been logging on to other machines and is validated by the same DCs on those machines.

This seems to me to be a problem on the PC client rather than the DC. Although the system tells me that the user or password is invalid it fails to log any error in the security log on the DC or to lock the domain user account due to failed logon attempts, which would normally be the case with incorrect passwords. But it starts working when a new password is set for the user. Why does it fail to validate with the DC until the password change is made?

 

[GlenJohnson]

I had this problem when I found that the pc was set up to log onto domainname, but the workgroup was still set as workgroup. When I changed the workgroup to match the domain name, the logon was perfect. Glen A. Johnson
Microsoft Certified Professional
gjohn76351@msn.com
"For last year's words belong to last year's language".
T. S. Eliot (1888-1965), Anglo-American poet.