Change password in windows locks startup

Posted on 2004-11-08
Last Modified: 2010-04-13

Clients = Windows 2000 Prof users.
Server = Wind 2000 Server AD

When logging in to the newtwork some users are asked to change their password.

Submitting the old and new password, the login/startup process continiues,
but stops almost immedialtely at the "green" blank screen i.e stops before viewing the desktop with the icons and start menue.
The computer is unaccessable and can only be rebooted.

Restarting the computer and logging in with the new password, gives no error but windows stops
at the same blank screen.

Others users that are already logged in, change their password via Windows Security screen (ctrl-alt-del) can change their password
successfully and continue to work with the computer. But next time they reboot the PC, same startup problems occours for them as well.

About half of the users that have changed their passwords has been successful but the other half have had this problem.

Some of the users had Service Pack 2 in Win200 and we thought that was the problem, but different users with SP2 was both successful and
unsuccessful when changing their passwords. So there must some more reasons than old Service Pack versions.

To get pass this startup problem, login was made as admin, the user profile was removed, new login was made which created a new user profile,
and the profile settings was manually restored and the user was up and running.

But what is the real cause for this simple action of changing the password, which causes the startup process to lockup ?
Lost permissions of the user profile ?

Haven't seens this problem before, when users have changed their password, but it happend last week for some computers.


Question by:janostlund
    1 Comment
    LVL 4

    Accepted Solution

    I had a look on the microsoft site and found that SP4 takes care of some problems related to password changing.

    Did you check the event logs on the machines in question for errors?

    Try the following:
    Users can receive the above error messages under a variety of conditions. The underlying cause for these errors is a security registry change involving the RestrictAnonymous value

    This problem may also have been fixed in SP3:

    When a Windows 2000-based domain controller receives an NTLM authentication request, it tries to validate the password in its database. If it does not succeed, it increments the bad password count, and passes the request to the primary domain controller because the database may not be synchronized.

    If the primary domain controller responds to the domain controller that forwarded the request with successful validation, the bad password count for the user on the domain controller should be reset to 0. However, the domain controller is not resetting the count to 0.

    This problem may only be seen in the Windows 2000 environment because UAS replication does not occur as frequently as in the Windows NT 4.0 domain environment. User passwords between domain controllers may be out of synchronization for longer period of time. Also, the bad password count field is not replicated between the domain controllers.


    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    "In order to have an organized way for empathy mapping, we rely on a psychological model and trying to model it in a simple way, so we will split the board to three section for each persona and a scenario and try to see what those personas would Do,…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now