We help IT Professionals succeed at work.

Can't log on Windows with new accounts.  To reinstall Windows or to not reinstall Windows is the question.

A Windows 10 Pro 1903 laptop will NOT accept new local user accounts at logon.
I've changed the passwords to no avail.
I've created new accounts to no avail.
I've run sfc, DISM, sfc to no avail.
Only the one (original?) user tied into AzureAD is working as expected.
(The computer is NOT domain-joined).

Other than reinstalling Windows, any suggestions?
Comment
Watch Question

Jackie Man IT Manager
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are you the Global Admin for Azure AD?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
A Windows 10 Pro 1903 laptop will NOT accept new local user accounts at logon.
What's the message you see when you try to log in?

Any policy preventing local users to log on?
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Jackie Man:
Are you the Global Admin for Azure AD?
I guess so.  If not, I'm sure I CAN be... I must say that I'm rather confused by this in that the computer is NOT domain joined and the User is shown places as AzureAD\username.  What the heck is that?!

Hello There: The message is consistently
The username or password is ..... (not recognized?)
I've tried "fixes" for this but nothing seems to help.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
This seems like a very strange type of failure.  I have to wonder if there's something blocking the added accounts from logging on.  If so, it would be GREAT to be able to fix it that way!!!  Any suggestions would be well appreciated!

I might add that the primary user logon is with a PIN.  That's the only logon that works.
Sr. Systems Administrator
CERTIFIED EXPERT
Commented:
It sounds like you chose to add an Azure user at install. This will make the computer behave like it is part of the Azure AD domain. Did you try prefacing the new username with the name of the computer like <computername>\<username> ?
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Jeff Glover:  Yes, I agree that's probably what the owner did.  But "behave like"  is a new notion to me where I'm used to computers being domain-joined or not.  So, this computer seems very strange to me.  
\
There are two issues:

- one is that this user only has this condition and I'd like to get rid of it because it confuses file sharing within his office (for him anyway).
- the other is that we CANNOT create new user profiles AND have their passwords work.  That is very troubling.
Because of the latter, we're moving toward reinstalling Windows.
I wish there were a better way.
Is there/
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
Is the Azure AD account a local admin?

Start --> CompMgmt.msc --> Users & Groups --> Create a new user there with a password.

Log off.

Does the user account show up in the bottom left corner? It should.

As soon as a user signs in with their Azure AD account it hooks the machine into Azure AD and all h*ll can break loose as a result.
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT
Commented:
So when you create a new local user and try to logon with it, using the computername\username format or just .\username, it will not take the password even if you made the new local user an administrator?
  Did you try to disjoin it from Azure AD? (Start | settings | System | About). As long as you know the local administrator account password, you should be able to do this.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
I don't have easy access to this computer so doing experiments is difficult.

I can say this:  Since the computer reports that it's in a Workgroup then I'm hard pressed to know if and when it may be "joined" to Azure AD if that's what Azure AD *is*.  

I did create new local users and tried to logon with them using Username as why would one anticipate a whatsis\username format for users that aren't joined to anything?  But I'm now tempted to try things like that!!
For that matter, am I to believe that this is in a "azuread" logon context as if we were using azuread\username but need not enter azuread\ at all - just like in a "real" domain?
I don't recall seeing the normal annotation that this logon would be in the domain\ context....

This must be very special indeed!!  :-)
Jeff GloverSr. Systems Administrator
CERTIFIED EXPERT

Commented:
What I gave you is honest advice. I am sorry it seems frustrating to you. I will stop trying to help you. Good luck
Philip ElderTechnical Architect - HA/Compute/Storage
CERTIFIED EXPERT

Commented:
We have a VM set up for some custom O365 work we do for clients. It was purposefully set up this way with the first logon being with an Azure AD/O365 username and password along with the 2FA prompts.

The VM/OS does not behave like a standard workgrouped computer would.

I've not had a chance to dig in to it, but I suspect that there are some MDM/InTune type policies associated with that AzureAD/O365 account that are coming in to play here.
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
Hi Fred,

An interesting question. I'd like to back up a couple of steps and clarify a few things if you don't mind.

You're said;

I've changed the passwords to no avail.
I've created new accounts to no avail.
I've run sfc, DISM, sfc to no avail.
Only the one (original?) user tied into AzureAD is working as expected.

I've tried "fixes" for this but nothing seems to help.

This doesn't seem possible to me. There has to be a registry corruption and/or a policy in effect on the local machine that's causing this. Can you confirm the following;

Has the laptop *ever* been connected to an Azure server?

When you say you've tried multiple accounts, do you mean the laptop will not log in to the other accounts you've created at all? Not even locally?

Please advise in detail on the above questions.

Regards, Andrew
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Jeff Glover:  Somehow I gave the wrong impression.  I appreciate your help and advice very much!  e.g. "But I'm now tempted to try things like that!!" and will be doing so here in a few minutes as I got some time on that machine.
CERTIFIED EXPERT

Commented:
Jeff gave an excellent suggestion: " Did you try prefacing the new username with the name of the computer like <computername>\<username>"  have you tried that?

If you go to Settings, Accounts, what do you see as the logged-in user name?  More specifically, what is before the \?

If you then click on Other Users, what do you see before the \ on the other users?
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
OK.  I had a few minutes access and tried what now seems obvious.
I can log into other accounts using computername\username + password.
Without computername\, as before, the error message was:
"The username or password is incorrect..." something like that.  So, it was the format of the username that was causing the logon failures.

What I'm used to seeing is this;
In a domain-joined computer, if you log on as a domain user and then log off, the next time you go to log on, there is a note below the logon credentials that says: Sign in to: [DOMAINNAME].  If that shows up then to log on to a local user, you have to prefix COMPUTERNAME\ to the name credentials.  It makes it clear.

Phil Elder:  In this case and in many that I see, the design of the logon page in the lower left-hand corner doesn't show other usernames.  It says:

[Last domain logon username]
Other user

I'm sure this is a formatting option but haven't made changes lately.

To recap:
A computer whose Properties show is in a Workgroup.
Yet, it takes the normal domain-style logon format of computername\username OR domain\username depending on the user.

Has the laptop *ever* been connected to an Azure server?
I don't really know the answer to this question but I would have to say: "very probably not".  But then I'm more used to a Windows workgroup or domain environment.  In this context, I don't even know what "connected" means really when it says it's in a Workgroup.

Anyway, with all your help, problem is solved!
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
P.S.  now I see Philip Elder's comment:
As soon as a user signs in with their Azure AD account it hooks the machine into Azure AD and all h*ll can break loose as a result.
That's a great description and now I can guess what "connected" means.  This is exactly what we've had for a couple of years now with this one computer.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Thanks folks!!