Previous signed in user gets locked out of domain

In the last month, we have been running into issues with Windows 10 and domain accounts. It happens if there is a computer that has MULTIPLE user accounts logged in, and the pc sits idle and goes to the screen lock.  When a user comes back to the pc and clicks on THEIR user name, and tries typing their password, it will say "incorrect password" right away. After so many tries, it then locks out the "last logged in user"  and not their own. We can confirm via the logs, that even though it shows their picture and username on the screen, according to the logs it locks out the previous user.  The other weird thing about this is they can click on "other user" instead of their name and login fine. Also, a reboot fixes the login issues but will eventually happen again if multiple users stay logged in. At first I thought this was tied to only Windows 10 version 1709, but I had a Windows 10 version 1703 happen today.

We have a simple domain controller setup + backup DC setup on a 2008 functional level. We have mostly 2008 and 2016 servers, majority are windows 10 workstations. We're a medium sized business.

Anyone else experiencing this issue? Any help would be appreciated. This is my first post on experts exchange, looking forward to giving this community a shot!
ElyodAsked:
Who is Participating?
 
ElyodAuthor Commented:
So I found out the issue. It is a Windows 10 bug. They recently fixed it for 1703, 1709 is still not fixed yet. We're going to keep things probably on 1703 with the latest patches. If anyone else runs into this issue here it's kb4093117.

https://support.microsoft.com/en-us/help/4093117/windows-10-update-kb4093117

Specifically: "Addresses an issue that prevents users from unlocking their session and that sometimes displays incorrect user-name@domain-name information on the logon screen when multiple users log on to a machine using fast user switching. Specifically, this happens when users are logging on from several different domains, are using the UPN format for their domain credentials (user-name@domain-name), and are switching between users with fast user switching."
0
 
McKnifeCommented:
You need to explain how many users you are holding logged in simultaneously. Just 3 or three, or literally >10, keeping all the sessions open but disconnected. I remember readong about problems concerning this setup, once before. Strange effects were seen and that guy had a lot (>10) session parked.
1
 
ElyodAuthor Commented:
Hi McKnife, typically it's only 2 or 3 users, so nothing too abnormal from my perspective anyways. We heard from helpdesk that one computer only had one user logged in when it happened, but it still locked out the last logged in user (we still have to replicate and confirm this on my end) but I can confirm with at least 2-3 users it can happen. Also it's not consistent. It seems to happen maybe once or twice a day which it difficult to troubleshoot.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
McKnifeCommented:
You need to try on a standard, clean installation of the latest win10 version (patched) without any additional software. If it happens there, give me steps to reproduce and we'll see what I can do.
0
 
McKnifeCommented:
Saw that today and thought of this thread, but wasn't able to localize it.
So you say, you had that problem on 1709, too?
1
 
ElyodAuthor Commented:
Yes it's an issue with 1709 as well, and there's no patch for it yet that we've found (only 1703). In our case we use office 365, so we have our on premise login local.domain for example, but we also have a domain alias also set up for company.com. So our users sometimes use just john.doe (which reverts to domain\john.doe. However if you type in the alias name, john.doe@company.com it then uses the company.com domain if that makes sense. Our users we typically tell them to type in just john.doe, but sometimes they confuse it with john.doe@company.com because they use it for everything office 365. Normally not a big deal at all. But with this bug it is. In order to replicate it, sign in on a machine with both methods (typically 2 or three users) boom you'll experience the headaches we've been facing :P
0
 
ElyodAuthor Commented:
Thanks for the help everyone, the post solution is my article I posted in the link with the KB.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.