Problem: PCs running Windows 7 32 or 64 bit Pro Some machines that are domain members and are apparently using only wireless access... A valid user attempts to login and misses that password one time will corrupt the PC's domain account within the PC and a user cannot login. This can be fixed by restoring the PC using system restore to before the event happened. If the PC is disconnected from the network a user with an account on the PC can log on just fine, reconnect the network and work normally until they are required to log on again. The DC does not see a problem with the PCs account. This does not happen every time and may have some other commonality but thats all I have found so far. Can someone please tell me how to prevent this or shed some light on where the problem is; a domain problem, PC setting, or registry adjustment? Thank you!

Are there any traces in Event logs? Are there any special settings in GPO like Wait for network...? You cannot continue in deeper level of forensics without network monitor data (either from MS or free Wireshark will do the task) Regards Milos

Hi, Take a look in audit logs on Domain Server. This will tell you why the account is locked. Juke Chou TechNet Community Support

So many questions to eliminate possible causes - You can login with another account to run a system restore? Is there a screensaver set to require password after running? How does the computer handle logging on with a brand new account when connected to wifi, does it authenticate with the domain controller and set up a profile? You say corrupted PC account, what do you mean by this? Can you connect remotely to the root of the machine when it fails \\pcname\c$ ? Can you ping the machine? Any error message when logging in, you must get some sort of message when the logon fails. Also eventvwr on the client should show some answers at the time the problem occurs.

Thank you for the replys to my question. I know few more things about what circumstances surround the problem: 1. The DC has nothing in the log about any problem with the computer account and is not what is locking it out otherwise doing a system restore would not work. This is all in the PC Windows 7 system. Doing a system restore on the PC fixes the domain lockout of the computer account or another way to put it is more like a corrupted computer account. 2. It seems that when a user account login is attempted more than one occurrence at the same time the PC corrupts is domain account for example: a laptop that has been on wireless is brought back an docked with a wired LAN connection and both are on. The user logs in and misses the password just once and the PC corrupts the domain account. OR --- A training center with multiple PC's and more than one person tries to login using the same training account. The password is missed (or maybe not) and one or maybe both PC's corrupt their domain account. Once again restoring the PC to before the lockout event restores the domain account. AND disconnecting the PC from the network, logging on with a valid domain user account that is already cached in the PC, and reconnecting the network will allow the user to work normally. Is there a way to prevent this? I believe I have read somewhere that the PC manages its account and the registry has something to do with how often the password is changed? Any help would be appreciated. I have training PC's corrupting Domain PC account during trainings and it is very distracting.

take a look - http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Thanks for the reply. The link is the most helpful so far. In fact I believe I have read that some time in my past. I still can't see how the password change procedure has to do with corrupting the domain account. I'm pretty sure it has something to do with the password but what conditions will or could cause it to try to change prematurely? Could it have something to do with having two Domain controllers that wold be out of sync at the moment? I will see if I can find the time to positively duplicate the domain account corruption and report it.

It could also be the NTAUTHORITY\SYSTEM account locking the computer account. This could be a mapped drive, or a process/service running in the context of this account has a password set with it.