AD domain environment
Admin cannot unlock workstation if user has logged in workstation only with cached domain credentials.
Help desk user is unable to unlock workstation after user logs in "windows onlyâ using AD account
Admin's only choice if user is not around is to power off the workstation.
Steps to reproduce
1. login "windows onlyâ as a
non-admin user. In the GINA, Click the down arrow and select a
domain login; windows will authenticate against cached credentials
in the registry.
- OR -
login Windows only with email@example.com to be logged in to the workstation using cached domain credentials.
2. Hit control-Alt-Delete and lock the workstation.
3. Attempt to login as user admin and unlock the workstation. You will not be able to select a local workstation login (as opposed to a domain login). ALSOUnless admin has logged into the domain from this workstation before there will be no cached user credentials for Admin, and he will be unable to login and unlock the workstation.
By default, Windows NT will remember the 10 most recent logon attempts. See http://support.microsoft.com/kb/172931/en-us Problem is help desk tech who goes out to check a problem won't be one of those last 10 users.