You receive multiple password expiration messages in Windows 2000 (840688)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

SYMPTOMS

When you try to unlock a Microsoft Windows 2000 Professional-based client computer or a Microsoft Windows XP-based client computer, you may receive multiple password expiration warning messages. This symptom occurs after you perform the following procedure:
  1. You log on to the client computer and when you receive a password expiration warning message, you change the passwordand then lock the computer.
  2. You log on to the same domain controller from a second client computer by using the same user name and password, and then change the password when you receive a password expiration warning message.
  3. When you try to unlock the first client computer, you receive another password expiration warning message.

CAUSE

This behavior occurs because the domain user password that is stored by Winlogon on the first client computer is different from the domain user password that is stored by Winlogon on the second client computer. When you change the domain user password from the second client computer, Winlogon on the second client computer is updated with the new domain user password. The first client computer is not aware of the password change because it is already logged on and its version of Winlogon does not contain the change. By default, a client computer does not query a domain controller when the computer is locked and unlocked. Therefore, the user on the first client computer must change the password.

WORKAROUND

To work around this behavior:
  1. Unlock the client computer by using the new domain user password, and then click No when you receive the password expiration warning message.
  2. Log off the client computer.
  3. Log on to the domain controller from the client computer by using the new domain user password.
Note When you log on to the domain controller from the client computer by using the new domain user password, the logon process queries the pwdLastSet value on the user account and updates Winlogon with the new user password. The domain controller uses the pwdLastSet value to make a record of the date and time when the domain users last changed their password.

STATUS

This behavior is by design.
Modification Type:MajorLast Reviewed:6/18/2004
Keywords:kbprb KB840688 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.