Domains and Unlocking PCs


Sep 16, 2013
My workplace has been pretty heavy about users locking their PCs before stepping away, which is great, but I'm beginning to notice a problem: User's are unable to unlock them.

To be more specific, I'm in the IT department for my company and we troubleshoot end-user PC issues. A few months ago they decided to implement thin clients and the issue I'm referring to is specific to these things. When user's lock them, they often cannot unlock them with their LAN credentials but a simple reboot allows them to login just fine (or course they loose anything they had been working on since they were forced to shut down).

I'm not so much asking why this is happening, since that's our network engineer's jobs to figure that out but I was curious as to whether Windows in general authenticates when unlocking a PC. What I mean is, if I change a password in Active Directory and a user reboots their machine, they have to use that new password. If I do the same and the user has only locked it, does it have to use the new or the old password?


Mar 25, 2009

What you are really asking about is the presence of cached credentials when a domain-joined PC is using a domain SID (not the local machine SID) in AD. If the connection exists prior to login, then the domain will (should) be used. The event viewer should log failures to contact the DC if none can be found. If the connection is not available, a cached credential will be used.

New or old password will more depend on the domain password accounts policy set in the directory.

Are these thin clients really just some form of RDP running on top of Windows?