Zaehlas
asked on
WinNT Workstations Locking with NULL Username
I administrate a Windows NT Network of approximately 500 workstations. A problem we have started having lately is that certain workstations start locking up, when no one is logged on, with no username.
The exact message is:
"This workstation is in use and has been locked"
"This workstation can only be unlocked by \ or an administrator"
"Press Ctl + Alt + Del to unlock this workstation"
It takes between 5 to 10 minutes of one of the affected workstations to lock up in this manner. It only happens when someone has logged off completely. An administrator account will not unlock a workstation once it has locked, although if it hasn't locked up yet, a user or administrator can log in normally with no problems. Once it has locked, the only solution appears to be rebooting the workstation.
This appears to afflict workstations randomly, with approximately 20% of our workstations affected right now. The only common factor among all the workstations is that the system registry reports that the Syskey encryption has been enabled, even though no administrators or users have run the syskey.exe application, and we have a common practice of removing this application from the workstations and servers. Even when Syskey is "turned on", the local username password hashes have not changed in length, or been encrypted, so I do not believe that Syskey is truly being enabled.
Using an offline registry editor to remove the Syskey entries has had some effect, although it will usually reset itself back to "on" after a few reboots. Sometimes it does not do this. I cannot yet prove that Syskey is causing the lockup issue.
Right now, the only permanent solution I have is to low-level format the affected workstations, and reload them from scratch. Sometimes this does not work, as a workstation can later be affected by this error.
We are running Norton Antivirus, corporate edition, with the latest signatures, and nothing is reported by it. This affliction is not a virus or worm that I am aware of.
All of our Workstations are WinNT 4.0, Service pack 6a, with custom load of software applications, Security Patches, and Hotfixes. I am not completely familiar with every single patch on our network, so it is entirely possible that one of them is causing it, although I doubt that, because not every system is affected by this, but we are pretty good on staying with updates.
I am assigning this question the malximum value of points, because I have accessed every other resource on the internet, and through Microsoft that I can think of, and no one has ever had thisw problem to my knowledge. I am hoping that one of you has more knowledge about the registry than I do, and can help me fix this problem.
Zaehlas
The exact message is:
"This workstation is in use and has been locked"
"This workstation can only be unlocked by \ or an administrator"
"Press Ctl + Alt + Del to unlock this workstation"
It takes between 5 to 10 minutes of one of the affected workstations to lock up in this manner. It only happens when someone has logged off completely. An administrator account will not unlock a workstation once it has locked, although if it hasn't locked up yet, a user or administrator can log in normally with no problems. Once it has locked, the only solution appears to be rebooting the workstation.
This appears to afflict workstations randomly, with approximately 20% of our workstations affected right now. The only common factor among all the workstations is that the system registry reports that the Syskey encryption has been enabled, even though no administrators or users have run the syskey.exe application, and we have a common practice of removing this application from the workstations and servers. Even when Syskey is "turned on", the local username password hashes have not changed in length, or been encrypted, so I do not believe that Syskey is truly being enabled.
Using an offline registry editor to remove the Syskey entries has had some effect, although it will usually reset itself back to "on" after a few reboots. Sometimes it does not do this. I cannot yet prove that Syskey is causing the lockup issue.
Right now, the only permanent solution I have is to low-level format the affected workstations, and reload them from scratch. Sometimes this does not work, as a workstation can later be affected by this error.
We are running Norton Antivirus, corporate edition, with the latest signatures, and nothing is reported by it. This affliction is not a virus or worm that I am aware of.
All of our Workstations are WinNT 4.0, Service pack 6a, with custom load of software applications, Security Patches, and Hotfixes. I am not completely familiar with every single patch on our network, so it is entirely possible that one of them is causing it, although I doubt that, because not every system is affected by this, but we are pretty good on staying with updates.
I am assigning this question the malximum value of points, because I have accessed every other resource on the internet, and through Microsoft that I can think of, and no one has ever had thisw problem to my knowledge. I am hoping that one of you has more knowledge about the registry than I do, and can help me fix this problem.
Zaehlas
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ODBA.... Same fix as I answered with link to jsiinc
ASKER
Thank you both... I need to test this fix and confirm that it's causing the problem. Once I have done this, I will grade.
I'm surprised after all my searching that these fixes never came up. hehe, it's a big web, I guess.
Once other thing, both of these fixes mention that to log on after this error has occured, to "clear the domain box", which is impossible on NT 4.0. Any ideas on that while I see if the screensaver fix works?
I'm surprised after all my searching that these fixes never came up. hehe, it's a big web, I guess.
Once other thing, both of these fixes mention that to log on after this error has occured, to "clear the domain box", which is impossible on NT 4.0. Any ideas on that while I see if the screensaver fix works?
????
The domain name box is part of the logon after CTRL-ALT-DEL
UserName:
Password:
DomainName:
The domain name box is part of the logon after CTRL-ALT-DEL
UserName:
Password:
DomainName:
ASKER
Outstanding. I tested the solution and it worked perfectly. The problem was stemming from the fact that part of our load was using a differently named screensaver for blanking (black16.scr), that wasn't always copied to systems. Now that we know about it, we are modifying our scripts to globally fix all our workstations.
I guess the login part of that is a moot point, however, when I was speaking of clearing the Domain box, I meant it is impossible because on our load of NT4, you cannot type in that box at all. It's a drop-down box. You cannot delete the text there or change it. So the fact the fixes state to "clear" this box sounds nonsensical.
Anyway, moot point, problem will be fixed. Thank you again.
I guess the login part of that is a moot point, however, when I was speaking of clearing the Domain box, I meant it is impossible because on our load of NT4, you cannot type in that box at all. It's a drop-down box. You cannot delete the text there or change it. So the fact the fixes state to "clear" this box sounds nonsensical.
Anyway, moot point, problem will be fixed. Thank you again.
;o) Your welcome
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
trywaredk,
our answers were written at the same time, so I don't see the point of your pointing out that yours is the same fix as mine -- not to mention that "yours" is an "observed behaviour", whereas "mine" is an official statement of Microsoft.
our answers were written at the same time, so I don't see the point of your pointing out that yours is the same fix as mine -- not to mention that "yours" is an "observed behaviour", whereas "mine" is an official statement of Microsoft.
ODBA... Sorry, I did'nt look at your posting time.
I reacted upon receiving a email about a comment from you, thus assuming, that you have seen my post before answering.
I reacted upon receiving a email about a comment from you, thus assuming, that you have seen my post before answering.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q229687