If you can't find what you need using the site search on the toolbar above, or if you need more detailed help or just need to be pointed in the right direction, post your question to the newly opened kadaitcha.cx forums. Membership is free.

Troubleshoot Password Problems

Forgot Password
Note: The above series of Microsoft articles takes a gigantic leap of faith in your not having set an Administrator password, nor do the articles spell out that if you have set an Administrator password and you've also forgotten that then you're in big trouble. See the next article under "If you do not use EFS" on how to get to your documents if you've also set an Administrator password and forgot that too.
    
 
   


Note: If you have forgotten your user logon password and you are not sure if you created an Administrator password, start Windows in and try logging on as Administrator using a blank password. If you have not created a password reset disk and you have also forgotten your Administrator password, you cannot log on to your existing Windows installation for security reasons. Microsoft state that you must perform a "clean" installation of Windows XP, re-create all user accounts, and reinstall all of your programs. However this is unnecessary if you have not implemented the Windows XP Encrypting File System.

If you do not use EFS:
You can install XP to another partition and recover your documents from there. If you do not have another partition, you can perform a  and still recover your documents. You can also use almost any Linux boot CD to gain access to NTFS partitions:
  • Trinity Rescue Kit
    • Trinity Rescue Kit, or TRK, is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines
  • Geek to Live: Rescue files with a boot CD
  • Ultimate Boot CD for Windows
For the ultra-desperate hacker, check out the offline password editor. Apparently this toolset also works on Vista. The offline editor will modify the encrypted password in the (Security Accounts Manager) SAM database, and you do not need to know the old password either. The tool will also detect and unlock locked out or disabled user accounts.

If you use EFS:
You must have backed up your EFS Certificates and the Recovery Agent. Read the article titled Backing up EFS Certificates and Recovery Agents to avoid this issue in the future. You should also resign yourself to performing a clean installation of Windows XP, re-creating all user accounts, and reinstalling all of your applications. If you made backups, read Restoring EFS Certificates and Recovery Agents.

Whilst the latter two links to the compulink site have some good information about backing up and restoring EFS certificates, along with screen dumps, the articles are very difficult to follow because they're not well written. If you have trouble following the narrative there, try these:





Note: If you are using EFS, your data is useless without the password or EFS certificates. Don't blame the OS if you're in this situation because you enabled EFS to keep people out of your data, right?
    


This article describes how to take ownership of a file or folder to which you have been denied access. If you require access to a file or folder to which you do not have access (permission), you must take ownership of that file or folder, where you replace the security permissions to allow yourself access. If you have been denied access to a folder and you have implemented the Windows XP Encrypting File System (EFS) and also reinstalled XP, this article will not help you. To recover EFS encrypted folders you must have backed up your EFS Certificates and the Recovery Agent. Read the the next section titled "Log On if you Forget your Password or it Expires."
    


When you attempt to log on to Recovery Console in Windows XP by typing the correct password for the local Administrator account, Recovery Console may display the following error message:

The password is not valid. Please retype the password.


When you try to unlock your computer, you may receive an error message that is similar to the following: The password is incorrect. Please retype your password. Letters in passwords must be typed using the correct case. You cannot unlock your computer.
    


Fixes a problem where you cannot change your password after you log on to your Windows XP-based computer for the first time.
    


When you try to log on to Windows XP Professional, you may receive the following message: Your password will expire in number of days. Do you want to change it now?
    


After you upgrade to Windows XP Professional, you may receive the following error message: Your password will expire in a number days. Do you want to change it now? You may receive this message although you have never used a password.
    


Explains how to create and how to use a password reset disk for a non-domain member computer in Windows XP.


When you try to change your password on a Microsoft Windows XP Professional-based computer, you may receive an error message that is similar to the following:

Your password must be at least number characters; cannot repeat your previous number...
    


After you schedule a task by using the Scheduled Tasks tool, the task may not run at the time you chose. If you view the status of the task, you may receive the following error message:

The scheduled task did not run because no user account password was entered.
    


A new security feature in Windows XP does not allow the use of a blank password when you configuring the Low Battery alarm or the Critical Battery alarm to run a program when the battery level drops to a predefined level that you set.
    


When you try to clear the password box in the Connect to ISP Name dialog box after being connected to a remote computer, you may not be able to completely clear the password box. The password always goes back to the password that you most recently used.
    


This article describes how the restoration of passwords is managed by System Restore on a Windows XP-based computer, and describes which types of passwords are restored and which are not restored.


When you upgrade or install Microsoft Windows XP, passwords may be assigned to user accounts that previously had no password or you did not assign passwords to any user accounts during the installation process. As a result, you cannot log on to the computer.
    


After you reset the password of an account on a Windows XP-based computer that is joined to a workgroup, you may lose access to the user's: Web page credentials; File share credentials; EFS-encrypted files; Certificates with private keys (SIGNED/ENCRYPTed e-mail).
    


After you upgrade to Windows XP from Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me), certain passwords may no longer be saved. Uninstalling Windows XP does not restore these passwords.
    


When you return to Windows from your password-protected screensaver, you are not prompted for your password.
    


After you log on as an administrator to a computer that is not a member of a domain, when you double-click User Accounts in Control Panel to change the password for the built-in Administrator account, the Administrator account may not appear in the list of user accounts. Consequently, you cannot change its password.


After you upgrade from Microsoft Windows Millennium Edition or Microsoft Windows 98 to Windows XP, you may be prompted to log on by typing a password. This symptom may occur even if no password previously existed or was specified during the upgrade process. When this occurs, you may not be able to log on, regardless of the password you type.
    


If you do not have direct access to a printer, but you do have a user account and password that does have access, you may be unable to print to the same network printer the next time you log on to the computer, and you may receive one of the following error messages: Access is denied; The RPC server is unavailable; Could not start print job. If you check the status of the network printer in the Printers folder, it may appear as:

Access denied, unable to connect.
    


Fixes a problem where Windows XP or Windows 2000 prompts you to change an expired password even after you have just changed your password.
    


Provides a fix for a problem where you cannot access EFS files after you change the user password to a new password on a Windows XP Service Pack 2 (SP2)-based computer.
    


Describes how to set the power options in Windows XP so that you are not prompted for a password when your computer resumes from standby.


When you create a new user on a Microsoft Windows XP Home Edition-based computer, you are not prompted to create a password.
    


When you install Windows XP Home Edition, you are prompted to enter a password for the Administrator account. After the installation has completed, you can only use the Administrator account in .
    


After you use the Files and Settings Transfer Wizard or the User State Migration Tool to migrate program settings, programs that require passwords may no longer work properly, or may prompt you for a password that you previously saved.
    


Describes how to resolve an issue where a broadband connection that requires a user name and password is not available in Windows XP.
    


This article is Part 1 of the Forgotten your Windows XP Home password? guide. Part 1 introduces this topic.


When you try to log on to a Microsoft Windows Server 2003-based computer or to a Microsoft Windows 2000-based computer, you may be prompted to change your password. After you enter your new password, you may receive the following error message:

You do not have permission to change your password.
    


Consider the following scenario. Your Microsoft Windows XP-based computer or Windows XP Service Pack 1 (SP1)-based computer is part of a Microsoft Windows NT 4.0 domain. You log on to the computer for the first time, and you are prompted to change your password. You type a password that does not meet the password restrictions that are set on the domain controller. You receive an incorrect error message that is similar to the following error message:

You do not have permissions to change your password.

Note: When you type a password that does not meet the password restrictions that are set on the domain controller, you should receive a message that the password does not meet the password restrictions together with a description of the restrictions.
    


When you try to change your password in Microsoft Windows XP or in Microsoft Windows 2000 on a locked-out account that has the User must change password at next logon attribute set, you receive an error message that is similar to the following:

The system cannot change your password now because the domain <DomainName> is not available.

Note: In this error message, DomainName is a placeholder for the actual domain name.
    


After you have been granted the Reset User Passwords and Force Password Change at Next Logon permission, and you log on to a Microsoft Windows Server 2003 domain controller or a Microsoft Windows XP-based computer that has the Windows Server 2003 Administration Tools Pack installed, the following symptoms may occur:
  • In Active Directory Users and Computers, when you right-click a user name, and then click Reset Password, the User must change password at next logon check box is unavailable.
  • In Active Directory Users and Computers, when you open Properties for a user, the User must change password at next logon check box is available on the Account tab.
    


This article explains one of the simplest ways to improve security of a Windows XP PC by implementing a strong password.


When you use a user principal name (UPN) to log on to Microsoft Windows XP, you may be prompted to change your password. When you try to change your password, you may receive an error message that is similar to the following:

The system cannot change your password now because the domain is not available.
    


If you change your password on a Microsoft Windows XP-based computer that is a member of a domain, you receive the following error message:

The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on.

This symptom occurs if all the following conditions are true:
  • You are using your user principal name (UPN) to change your password. For example, you are using to change your password.
  • The Security Accounts Manager (SAM) account user name is different from the first part of the UPN.
    • Note The SAM account uses the following format:
      DomainName\SAMacctUserName
  • You are logging on to a domain of a different forest, and the computer that you use is not a member of the domain to which you are logging on. The trusted domain to which you log on is not using Microsoft Windows Server 2003 forest trust.
    


If you forget your password or if your password expires, you can no longer log on to your computer until you reset your password. This article contains several step-by-step methods that you can use to try to reset your password so that you can log on to your computer again. However, these steps will only work if you or someone else knows the password for another user account on this computer, or if you have previously created a password reset disk for this computer. If this not the case, unfortunately, you have to reinstall Windows XP and all other programs that were installed on this computer before you can use this computer again. This is for security reasons. Otherwise, anyone could reset a password to anyone's computer and gain access to private information.

This article is intended for a beginning to intermediate computer user.

You may find it easier to follow the steps if you print this article first.
    


This article describes how to manage stored user names and passwords on a computer that is not a member of a domain.

When you log on to a Windows XP-based computer, you can supply a user name and password, which becomes your default security context for connecting to other computers on networks and over the Internet. However, this user name and password may not provide access to all desired resources. The Stored User Names and Passwords feature provides a way to store additional user names and passwords as a part of your profile.

Stored User Names and Passwords is a secured store for password information. With this feature, you can type user names and passwords for various network resources and applications (such as email) one time, and then have Windows automatically supply that information for subsequent visits to those resources without your intervention.
    


This article describes how to manage stored user names and passwords on a computer that is a member of a domain.

Stored User Names and Passwords is a secured store for password information. With this feature, you can enter user names and passwords for various network resources and applications (such as e-mail) once, and then have Windows automatically supply that information for subsequent visits to those resources without your intervention.


When you try to change the logon password on your Windows XP-based computer, you receive the following error message:

The system cannot change your password because the domain MIT Realm is not available.
    


In Microsoft Windows XP Professional, when you try to use a smart card to log on to a Microsoft Windows Server 2003 domain, you receive the Change Password dialog box. In the Change Password dialog box, the User Name box is empty and the Old Password box is full.
    


This article describes how to create and use a password reset disk for a computer that is a member of a domain. You can use a password reset disk to gain access to your Microsoft Windows XP Professional-based computer if you forget your password.
    


When you attempt to change your password by using your user principal name (), you may receive one of the following error messages.

If the account is in the parent domain:
The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on.

If the account is in a child domain:
Unable to change the password on this account due to the following error:

1359 : An internal error occurred
Please consult your system administrator.
    


If a user tries to change their password on an account that is locked out and has the User must change password at next logon attribute set, the user receives the following error message:

The system cannot change your password now because the domain domain_name is not available.

This error message is misleading because it does not distinguish between the actual situation (a locked-out account) and true connectivity problems.


Windows XP introduces a new behavior which makes it easier to access resources that require credentials other than the logged-on user's credentials. This article describes the functionality and expected behavior of Stored User Names and Passwords.
    


When you try to connect to a remote share by using NTLM authentication on a Microsoft Windows XP-based computer, you may receive the following error message:

Logon failure: unknown user name or bad password.

For example, you may experience this problem when you try to connect to a remote share by using the IP address as the server name.

Note: This problem does not occur if you use Kerberos authentication.
    


In Windows NT 3.x, when your password is 14 days from expiration, you receive a Password Change Notification when logging on requesting you to change your password. If the Maximum Password Age is set to 30 days, you receive the notice when your password is only half way through its life span. Although you may wish to change the advance time of the reminder, the Password Change Notification is hard coded at 14 days in Windows NT 3.x and is not configurable.

Note: Despite this article referring to NT 3.x, it is applicable to XP.
    


You can use the Stored User Names and Passwords feature that is included in Windows XP at a command prompt.
    


Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack. Therefore, you may want to prevent Windows from storing an LM hash of your password. This article describes how to do this so that Windows only stores the stronger NT hash of your password.


When you set the Passwords must meet complexity requirements policy setting, and a user logs on to the computer or to a domain and types a password in the Change Password dialog box that does not meet the complexity requirements, the user receives the following message:

Your password must be at least x characters; cannot repeat any of your previous x passwords; must contain capitals, numerals or punctuation; and cannot contain your account or full name. Please type a different password. Type a password which meets these requirements in both text boxes.

This message is expected behaviour when a user tries to change the password and the password does not meet the complexity requirements that you set. However, some of the content of the message may be confusing to some users because it does not explicitly specify that the password must contain at least three of the following four character groups:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Numerals (0 through 9)
  • Non-alphabetic characters (such as !, $, #, %)
    


When a user tries to use certificate functionality after they change their password or when they use a roaming profile, they may lose access to this certificate functionality. Certificate functionality that may not work as before includes the following:
  • Accessing files that are encrypted with Encrypting File System (EFS)
  • Accessing a secure Web page that requires certificate authentication
  • Signing e-mail with Secure/Multipurpose Internet Mail Extensions (S/MIME)
When they try to access a secure Web site, the following error message is logged:

Schannel Event: 36870
A fatal error occurred when you try to access the SSL client credential private key. The error code returned from the cryptographic module is 0x80090016.
    


When a member of the Users group tries to use the Users and Passwords tool in Control Panel in Windows XP, the user is prompted for the Administrator password:

You must be a member of the Administrators group on the computer to open the Users and Passwords control panel. You are logged in as Machine_name\User_name, which is not a member of the Administrators group.

Specify the user name and password of an Administrator on this computer to continue:

User name:
Password:

You can change your password without opening the Users and Passwords control panel by pressing CRTL-ALT-DEL and selecting Change Password.

However, the Administrator account and password are ignored if the user runs the Administrative Tools tool in Control Panel. The user can gain access to the Computer Management tool and the Local Users and Groups subtree it contains. When the user gains access, a member of the Users group can add a new user to the computer. The user can also change the password for the created account. Members of the Users group cannot promote the new user to the Administrators group, nor can they change another account's password.
    


You may experience one or more of the following symptoms when you apply the "Password protect the screen saver" Group Policy setting to Windows XP and Windows XP Service Pack 1 (SP1)-based computers:
  • When you create or edit the policy on a Windows XP-based computer, the policy is not applied correctly to Windows XP Service Pack 1 (SP1) client computers.
  • When you create or edit the policy on a computer with Microsoft Windows Server 2003, Microsoft Windows 2000, or Windows XP SP1, the policy is not applied correctly to Windows XP client computers.
For example, if you enable the "Password protect the screen saver" Group Policy, and you view the screen saver settings of the client computer (right-click an empty area of the desktop, click Properties, and then click the Screen Saver tab), the On resume, password protect check box is selected as expected, but the screen saver is not actually password-protected.
    


When you change the password policy, the changes are not applied as expected.


A guest account provides access to the computer for any user who does not have a user account on the computer. By default you do not require any password or, you can not create any password for this account either. Still if you wish to set a password for this guest account then you can easily do so.
    


Windows XP allows the administrators to restrict other users from changing the password.
    


When you try to change your password after your password has expired, you are locked out of your account.
    


This tip will allow you to view, add, remove or edit the stored .NET users names and passwords. Each user's name and password has the unique credential which helps one to authenticate to services in domains.
    


After you reset your local computer account password by using a password-reset disk, you may be unable to decrypt encrypted files or folders.


When the sysprep tool has been used to install Windows XP or Windows 2000, there are cases in which checking the “Save Password” box in Internet Explorer or Outlook Express does not work. This occurs when the user has logged in as an existing user (such as Administrator) prior to running the sysprep tool.

Since the following functionality also uses Protected Storage Service, they may not work as expected:
  • Password save in Internet Explorer
  • Auto Complete in Internet Explorer
  • Subscription in Internet Explorer
    


Consider the following scenario. Microsoft Office Project Server 2003 is configured to use Microsoft Windows authentication to authenticate user accounts. You connect to Project Server 2003 by using Microsoft Office Project Web Access 2003 from a Microsoft Windows Server 2003-based computer or from a Microsoft Windows XP-based computer that is outside the Active Directory directory service domain. When you do this, a Connect to ServerName dialog box appears on the screen. You are prompted to type your user name and password before you can log on to Project Server 2003.
    


Password synchronization provides one-way (Windows-to-UNIX) and two-way password synchronization between Windows domains and Network Information Service (NIS) domains. The master server of the NIS domain can be running on UNIX or on Windows (Server for NIS).

Windows Services for UNIX provides precompiled binaries to support password synchronization on supported UNIX and Linux hosts. The following list describes supported hosts for Windows Services for UNIX 3.0:
  • HP-UX 11
  • Sun Solaris (sparc) 7.0, 8
  • IBM AIX 4.3.3
  • Red Hat Linux 7.0
    


When you change your password while you log on to Windows, you may not authenticate successfully with a third-party network provider. For example, a user logs on to Windows and Citrix MetaFrame with a new password, the Windows password is successful, but the Citrix MetaFrame password is not successful.
    


When you dial a phonebook entry in Dial-Up Networking, you can use the "Save Password" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords.


If you forgot your four-digit parental control password and you follow the steps that are listed in Help to reset it, the password does not reset.
    


After you configure your computer to use a screen saver with a password, and after the screen saver has started, you may be able to bypass the password security and unlock the computer by pressing a key or by moving the mouse.
    


When you start a Microsoft Windows XP-based computer for the first time, the Out of Box Experience (OOBE) component runs. When the Setup Wizard then displays the Administrator Password page, you are prompted to type an administrator password in the Administrator Password box. But after you type a password, instead of retyping the password in the Confirm Password box, you decide to click Skip to skip the operation. However, when you click Skip, the operation is not skipped. Instead, the password that you typed is applied.

Because of this problem, you may not remember what password that you typed. Therefore, you may not be able to log on to Windows by using the administrator account.
    


If the lpPassword parameter of the WNetAddConnection2 function is NULL, the WNetAddConnection2 function does not send the correct default password. The password is associated with the user name that is specified by the lpUserName parameter for a World Wide Web Distributed Authoring and Versioning (WebDAV) communication.

Note The Server Message Block (SMB) redirector functions correctly with a specified user name and a NULL password.
    


When you attempt to connect to a resource, you may not be prompted for your credentials by the Stored User Names and Passwords feature as you expect. Instead, you cannot connect to the resource.


If the strong private key protection functionality is set to High with a software key in CryptoAPI, Windows XP prompts you for your private key password every time Outlook accesses the key for signing, encrypting, or decrypting an e-mail message.
    


You are no longer prompted to enter your private key password when strong private key protection functionality is set to high. This issue occurs after you upgrade your computer to Microsoft Windows XP Service Pack 2 (SP2), or after you install the hotfix that is described in the following article in the Microsoft Knowledge Base:

(http://support.microsoft.com/kb/821574/) Windows prompts you for your password multiple times when you use Outlook if strong private key protection is set to high.

When strong private key protection functionality is set to high by using a software key in CryptoAPI, you are no longer prompted to enter your private key password every time that the private key is used to sign data, to encrypt data, or to decrypt data. You are only prompted to enter your private key password the first time that the private key is accessed.
    


When you use the Migration Wizard, passwords may not migrate.
    


If you run a Windows XP unattended answer-file that includes an encrypted domain administrator password in the [Identification] section, the computer may not join the domain. The following text is an example of an unattended answer-file that includes an encrypted domain administrator password:

[Identification]
JoinDomain=mydomain
DomainAdmin= installer
EncryptedDomainAdminPassword=
d85774cf671a9947aad3b435b51404eebaac3929fabc9e6dcd32421ba94a84d4
    


When you wake Microsoft Windows XP Tablet PC Edition from hibernation, you cannot enter your password through the Tablet PC Input Panel unless you tap the SHIFT key on the Input Panel more than one time. Sometimes, you cannot enter your password at all, and you have to restart the Tablet PC.


After you change a computer's membership from a domain to a workgroup and restart the computer, you cannot log on with your previous user name and password. You may also receive the following error message:

The system could not log you on. Make sure your user name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
    


After you enter an incorrect password for your user account several times in a row, the logon screen appears to stop responding (hang) for a period of time, and then functions again. This behaviour happens after you enter an incorrect password six times in a row.
    


When you view the properties of a user account, the User must change password at next logon option may not be available.
    


In Microsoft Windows XP, removable devices may not appear when you use the Forgotten Password Wizard or the Password Reset Wizard. For example, when you use the Forgotten Password Wizard to create a password reset disk, removable devices may not appear in the list of devices to which you can back up your password. Additionally, when you use the Password Reset Wizard to reset your password, removable devices may not appear in the list of devices from which you can restore your password.
    


When you use the Remote Access Service (RAS) to log on to a Microsoft Windows NT 4.0 domain, your password may expire although you have not received the expected password expiry notification.


The following is a simplified algorithm that explains how Windows account validation is observed to function during network access using the NTLM protocol. It is using access through the server message block (SMB) protocol as the example, but it applies to all other server applications that support NTLM authentication. This discussion does not cover the internal workings of this process. With this information, you can predict Windows network logon behaviour under deterministic conditions.
    


You may experience the following behaviors:
  • If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
  • If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled, and users receive an error message when they try to log on.
    


When you install a version of Windows XP, Setup prompts you for a password for the Administrator account. After installation is complete, the password provided during Setup is applied to the account.
    


The Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows 2003 Security Accounts Management Database (SAM) stores hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes are encrypted. Windows prevents the use of stored, unencrypted password hashes.

You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This article describes how to use the SysKey utility to secure the Windows SAM database.
    


When you try to use the automatic logon feature in Windows XP to run unattended or Sysprep.exe installations, automatic logon may not occur, even though your answer file has the correct settings.


This article contains sample code that demonstrates how to use the LDAP ADSI provider to obtain the password expiration date of an Active Directory user.
    


When you run the Forgotten Password Wizard in Microsoft Windows XP to create a password reset disk on a computer that does not have a floppy disk drive, you are prompted to insert a blank, formatted disk into drive C.
    


When you use the Netdom.exe utility to join a Windows XP Professional-based computer to a domain, you may receive the following error message:

The specified network password is not correct.

The command failed to complete successfully.
    


Windows XP may not display a notice to a user that the user's password is about to expire. This problem may occur if the user logs on to a Microsoft Windows 2000-based domain from a Windows XP Professional-based computer on which the user has previously logged on, and the user's password will expire in the specified expiry period.
    


After you install Windows XP, you have the option to create user accounts. If you create user accounts, by default, they will have an account type of Administrator with no password.


This article discusses the following aspects of NTLM user authentication in Windows:
  • Password storage in the account database
  • User authentication by using the MSV1_0 authentication package
  • Pass-through authentication
    


The Administrator Logon dialog box may be hidden under the Welcome screen when the AutoAdminLogon feature is enabled and the user account is either deleted or missing.

Or

The Log On to Windows dialog box may be displayed with incorrect credentials after the Autologon feature had been unsuccessful, and you received the following error message:

The system could not log you on. Make sure your user name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.
    


his article describes how to access a network resource where you must supply credentials when your user account is configured with the Smart card is required for interactive logon setting.
    


When a service does not start because of a logon failure, you may receive either of the following error messages in the system event log after you restart the computer (where ServiceName is the name of the service in question):

Source: Service Control Manager
Event ID: 7000
Description:
The ServiceName service failed to start due to the following error:
The service did not start due to a logon failure.

No Data will be available.

Or

Source: Service Control Manager
Event ID: 7013
Description:
Logon attempt with current password failed with the following error:
Logon failure: unknown user name or bad password.

No Data will be available.

When you attempt to manually start the service, you may receive the following error message:

Microsoft Management Console
Could not start the ServiceName service on Local Computer
Error 1069: The service did not start due to a logon failure.

Note: You may receive these error messages even though the user account is valid.
    


When you try to use the cached credentials of an Massachusetts Institute of Technology (MIT) Kerberos Realm user to log on to a Windows XP Professional workstation, you may receive the following error message:

The system could not log you on. Make sure your user name and domain are correct, and then type your password again. Letters in passwords must be typed using the correct case.


After you upgrade a Microsoft Windows 2000-based computer, Windows XP Professional may start directly to the desktop without stopping at the Welcome screen or requiring you to type a username and password.

If you then create a new user account, you may not receive any option that allows you to log on by using the new account.
    


After you upgrade a computer to Microsoft Windows XP from Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me), the computer may appear to stop responding (hang) right after you type a password and dismiss the password creation dialog box. Additionally, you may see only a blue background on the screen.

If you press ALT+TAB to switch between the Windows Logon screen and the Welcome To Windows screen, the screen may not change, depending on what screen you are switching.
    


When an administrator tries to reset the password for a local user on a computer by using the Local Users and Groups snap-in, you receive the following incorrect message:

Any password reset disks the user has created will no longer work.

Note: that this message is incorrect; the user can use password reset disks.
    


After you complete the following procedure, you may be prompted to type a user password each time you try to log on to a remote computer:
  • You store user credentials in a Terminal server computer by using a third-party credential manager program.
  • You try to log on remotely to the Terminal server computer from a Windows XP-based computer by using the Windows XP Remote Desktop feature.
Your credential manager program may not be able to acquire the log on credentials for the user, and you may be prompted to type the user password each time you try to log on to the remote computer.
    


When you create an Unattend.txt file to perform unattended installations of Windows XP, you do not have an option to encrypt the user name and user password to join a domain.


When you try to log on to a Windows NT 4.0 domain from a Windows XP-based computer, you may receive the following error message:

The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect.

You can log on locally to your computer and map drives to the Windows NT 4.0 Server-based computer by using your user domain credentials, and you can log on to the domain by using the same user account from a Windows NT 4.0-based computer.
    


When you log on to Windows XP, it may take longer than you expect. When you use CTRL-ALT-DELETE to log out, you may receive the following error message:

Windows cannot load the locally stored profile: Insufficient security rights or a corrupted local file. Windows has logged you in with a temporary profile any setting you make will not be saved.
    


This article discusses cached credentials security in Microsoft Windows Server 2003, in Microsoft Windows XP, and in Microsoft Windows 2000. This article mostly discusses domain credentials. However, this article also discusses generic credentials for clarification.
    


This article describes the behaviours to expect when you attempt to unlock a locked workstation. Note This behaviour only happens when you have Fast User Switching disabled. (When you join a Windows XP Professional computer to a domain, the Welcome Screen logon (and Fast User Switching) is disabled.)
    


If the security log is full and a restricted user with no password attempts to log on from the Windows XP Welcome screen, the logon request is rejected without any error messages.


You may find that you cannot type any characters in the User name box and the Password box in the Log On dialog box. This occurs on a computer that is running Microsoft Windows Server 2003, Windows Server 2003 with Service Pack 1 (SP1), or Windows XP Service Pack 2 (SP2). Because you cannot enter your credentials, you cannot log on to the computer. However, you may be able to log on to the computer after you restart the computer.
    


When you upgrade your computer from Windows 2000 to Windows XP and the Guest account is enabled for local logon, the Guest option is available when you run the Out of Box Experience (OOBE). You are able to log on as a Guest without using a password.
    


After you change a password on one computer and then log on to another computer, the matching credentials in Stored User Names and Passwords are not updated.
    


When you try to log on to a Windows XP-based computer from the Welcome logon screen, you cannot type your password. For example, when you click in the password box, and then you try to type the password, nothing happens. Asterisk characters do not appear in the password box, and the password is not acknowledged. Because of this problem, you cannot log on to the account by using password authentication. This problem may occur only occasionally.
    


When you call the MSChapSrvChangePassword function to change the password of a domain user account in the Active Directory directory service, the function may fail. When this problem occurs, the function may return an unexpected error code.

This problem occurs on a computer that is running Microsoft Windows Server 2003 or Microsoft Windows XP.


Under the following conditions, you may not be able to obtain access to your encrypted files:
  • You logged on to your computer in a workgroup or in a Microsoft Windows NT 4.0 domain.
  • You encrypted files on your local computer by using a local user account or a domain user account in the Microsoft Windows NT 4.0 domain.
  • You have changed your password.
  • You have logged on to your computer by using cached credentials when your computer is not on the network.
    


Consider the following scenario. A Microsoft Windows XP Professional-based member computer is joined to a domain controller. In the domain controller, the audit policy is turned on for logon failures. When a local user on the member computer logs off, the following event is logged two times in the Security log in the domain controller:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: domain controller computer name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: user name
Domain: client computer name
Logon Type: 3
Logon Process: KSecDD
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: client computer name

For more information, see Help and Support Center at
http://support.microsoft.com.

Consider the following scenario. A Microsoft Windows Server 2003-based member computer is joined to a domain controller. In the domain controller, the audit policy is turned on for logon failures. When a local user on the member computer logs off, the following event is logged in the Security log in the domain controller:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: domain controller computer name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: user name
Domain: client computer name
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: client computer name

For more information, see Help and Support Center at
http://support.microsoft.com.
    


On a Windows XP-based computer that is part of a workgroup and has the Fast User Switching feature enabled, the computer may start without displaying the "Welcome" logon screen.

The Guest account is not relevant when Windows determines if there is only one user without a password. If there is only one user registered on the computer, the "Welcome" logon screen is not displayed before the account is logged on. You can use the Fast User Switching feature to gain access to the Guest account.

Note that this behaviour occurs only if the user account is part of a workgroup (not a domain) and any of the following conditions exist:
  • No password is configured for the user account.
  • No other users are registered on the computer.
    


You use a compressed (zipped) folder on a Microsoft Windows XP-based computer. When you try to remove a password from the compressed folder or add a password to the compressed folder, you receive the following error message:

Compressed (Zipped) Folders Error
Cannot create output file

The password is not successfully removed or successfully added for some files.
    


When you try to open a folder in Microsoft Windows XP, you may receive the following error message, where Folder is the name of the folder that you cannot open:

Folder is not accessible. Access is denied.

This issue may occur if the folder that you cannot open was created on an NTFS file system volume by using a previous installation of Windows, and then installing Windows XP. This issue may occur although you enter the correct user name and password. This issue occurs because the security ID for the user has changed. Although you use the same user name and password, your security ID no longer matches the security ID of the owner of the folder that you cannot open.


When you change the user password on a Microsoft Windows XP-based computer, you lose access to data.

This problem occurs if the Data Protection API (DPAPI) protects data when the domain-joined computer is offline.
    


Microsoft Client Services for Netware (CSNW) does not use stored credentials in Windows XP. CSNW cannot store or retrieve credentials by using the Data Protection API (formerly known as Protected Store).
    


In Microsoft Windows XP Tablet PC Edition 2005, the dot that represents the first character of the password does not appear on the screen when you tap the software keyboard. Therefore, you may be unable to correctly enter the password by using the touch screen.

When you enter the second and successive characters of the password, dots are displayed to indicate that characters have been entered. However, because no dot is displayed to indicate that the first character has been entered, you may be unable to correctly enter the password.
    


Consider the following scenario:
  • You have a computer that is running Microsoft Windows XP.
  • There are two network shares on a remote server.
  • You use user credentials to connect to one of the network shares. Then, you try to use different user credentials to connect to the other network share.
In this scenario, you may receive the following error message:

The network folder specified is currently mapped using a different user name and password. To connect using a different user name and password, first disconnect any existing mappings to this network share.

If you click OK in response to this error message, you may receive the following error message:

Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
    


The screen saver settings for a user or for a Group Policy object may not be applied. For example, you may experience one or more of the following symptoms after a domain administrator configures screen saver settings in Group Policy:
  • The screen saver may not be enabled after the specified screen saver timeout.
  • Users may not be able to change their screen savers.
  • Users are not prompted for a screen saver password even if the administrator configured the "Password protect the screen saver" policy setting to Enabled.


When you install a Microsoft Windows 2000-based disk image or a Microsoft Windows XP-based disk image that was created with the Microsoft System Preparation tool (Sysprep.exe), some scheduled tasks may not start as expected.

When you view the properties of a failed task, you may receive an error message similar to the following:

0x8004130f: No account information could be found in the Task Scheduler security database for the task indicated.
    


If an account lockout policy is applied to a domain, and an account is present both in the domain and in the local SAM of a client of this domain with a different password, it will be locked out if a user logs on to the local account of the client  and tries to connect to a share of a server member of the domain via the "Run" command from the "Start" menu of the explorer.

This can also happen is the client is a member of another domain that has the same account with a different password and the user is logged on to that account.
    


Consider the following scenario:
  • You try to log on to a Microsoft Windows Server 2003 or Microsoft Windows XP workstation as a trusted Massachusetts Institute of Technology (MIT) Kerberos realm user.
  • Your MIT Kerberos realm user account is mapped to a Windows account.
  • You enter the wrong password.
In this scenario, the Kerberos client ignores the KRB_AP_ERR_BAD_INTEGRITY return message, and then tries to log on three more times with the same credentials. If an account lockout policy is enabled in the MIT Kerberos realm, this causes four bad passwords to be counted for each bad logon on the client workstation.
    


Consider the following scenario. You use a program that uses the IADsOpenDSObject::OpenDSObject method to specify a user principal name (UPN) for the user ID during logon. This user ID is specified during logon to a Microsoft Windows Server 2003 domain. However, if a user types the wrong password in this scenario, the number of unsuccessful logon attempts is not incremented by the authenticating domain controller, as indicated by the badPwdCount value.
    


Consider the following scenario:
  • On a Microsoft Windows XP-based client computer, you run a program that uses the Data Protection API (DPAPI).
  •  The Windows XP-based client computer is joined to a Microsoft Windows Server 2003-based domain.
  • You log on to the Windows XP-based client computer as a domain user, and you change the domain password.
  • After you log off the Windows XP-based client computer, you encrypt data by using the DPAPI-based program.
In this scenario, you cannot access the encrypted data when you log on back to the Windows XP-based client computer by using the new domain password.