Group policy gets "stuck" on workstation

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I've got an unusual problem. Some Windows 2000 workstations in my
environment will lock themselves when no user is logged in. They display the
message "Only or an administrator can unlock this computer". It is exactly
the issue described here:
http://support.microsoft.com/kb/242917

However, the default screensaver is just fine! After hours of investigating
I discovered that some user policies are being applied before anyone logs in!
The user policies associated with the usual user of the machine got "stuck"
and are applied as soon as the machine starts. Of course, the user policy
enforces a mandatory screensaver that locks the computer, causing this issue.

I found that if I remove the user from her OUs, it does not change the
"stuck" policies that get applied. Also, I can see that the user policies
that are in place before logon have not refreshed for many months, using
gpresult. Somehow it got "locked in" and it's just in there, forever. When a
user actually logs in to the machine, they disappear and the user gets their
usual policies. Once they log out, these months-old policies come back into
effect.

We're on a Windows 2000 domain, and this has happened to about a dozen of
our 250 Win2k workstations.

So the big question, does anyone know how to fix this?
 
It is not possible for a computer to be locked when no user is logged in.

Make sure that automatic logon options are not enabled.

Verify this by performing these steps:

1. Open regedt32.
2. Select the following key: HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
3. Double click the AutoAdminLogon key.
4. Modify it to a zero or ensure that it does not exist.
5. Close regedt32.
 
If you read the article below, you will see that it is indeed possible for a
computer to be locked with no user logged in:
http://support.microsoft.com/kb/242917

I've done the steps you describe, AutoAdminLogon is already set to 0.


I will try to describe the symptom more clearly:

When the computer is rebooted, it displays "Press Ctrl-Alt-Del to begin" as
it normally should. After 7 minutes of doing nothing, it suddenly locks. It
then says "This computer is in use and has been locked. Only or an
administrator can unlock this computer."

Note that it does not say "Only USERNAME or an administrator can unlock this
computer" as it normally should! The user is missing from where it normally
would be, the reason is that no one is logged on.

Thanks, any help is appreciated.
 
Hello Jesse,

I think I used my common sense when I said it is not possible. I was wrong,
sorry for that.

I’m sure you tried the resolution on that support article and it did not
work for you.

I will suggest another approach. Why do you want to use a screen saver while
waiting for someone to log on locally? Just tell the system that when no
one’s logged in (e.g., when the .DEFAULT profile’s being used) that you don’t
want a screen saver to run.

This can be done by performing these steps:

1. Start Registry Editor
2. Select the following key: HKEY_USERS\.Default\Control Panel\Desktop
3. Locate the ScreenSaveActive value
4. Modify it to zero
5. Restart the computer

Please keep me updated.
 
Hi,

I've just tried what you suggested, but the computer still locks after 7
minutes as specified in the group policy settings for our users. This makes
sense to me, as all of the values in HKEY_USERS\.Default\Control
Panel\Desktop were always the normal values like "ScreenSaverIsSecure = 0"
(but the computer locks anyway) and "ScreenSaveTimeout = 900" (which is 15
minutes but the computer locks after only 7 minutes).

Do you have any other ideas? Thanks for your continued interest in my problem.
 
Try this on one of the problem machines:

Backup then delete the following files:

%systemroot%\system32\GroupPolicy\User\registry.pol
%systemroot%\system32\GroupPolicy\Machine\registry.pol
%userprofile%\ntuser.pol

Backup then delete the following registry entries:

HKLM + HKCU
\Software\Policies
\Software\Microsoft\Windows\CurrentVersion\Policies

Restart the machine and see if that clears the "stuck" policies...

HTH...



Jesse said:
Hi,

I've just tried what you suggested, but the computer still locks after 7
minutes as specified in the group policy settings for our users. This makes
sense to me, as all of the values in HKEY_USERS\.Default\Control
Panel\Desktop were always the normal values like "ScreenSaverIsSecure = 0"
(but the computer locks anyway) and "ScreenSaveTimeout = 900" (which is 15
minutes but the computer locks after only 7 minutes).

Do you have any other ideas? Thanks for your continued interest in my problem.
Click to expand...


Ha®®y

(e-mail address removed)
 
Did you replace the default user profile with a customized default user
profile? If yes, create a temporary local user account. Log on locally using
the account you've just created and disable the screen saver. Log off then
log on using administrative account. Copy the user profile you’ve just
created to the default user profile using System Properties.

If this don't work I gave up :(
 
Alas, this has led me to the solution! The locations you suggested did not
work, but it led me to look here in the registry:

Users\.DEFAULT\Software\Policies
Users\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies

The offending settings were contained there. After I deleted them, the
locking issue disappeared. Thanks so much for your help!
 
I learned something interesting while troubleshooting the problem, that is
that the "Default User" profile is not what is used at the logon screen. The
registry branch "users\.DEFAULT" contains settings for the localsystem
account, not for the "Default User" profile. It is just bad planning that
they named it ".DEFAULT".

Thanks so much for your help.
 
Back
Top