Here’s a fun little feature with Microsoft Vista. All you need is a Vista machine and a VPN connection. If you get lucky, it’ll be an easy and instant way to repeatedly lockout your domain account!
First, from your Vista machine create a VPN connection to a non windows-authenticated VPN — for instance, at the office we use a Cisco appliance with non-domain username/password. Connect to it with your Vista machine. At first, things may seem fine. But at some point, you’ll find that every time you connect to the VPN, your domain account gets locked out!
Here’s what I know so far:
- It only happens to folks establishing the VPN connection from a Vista machine
- Doesn’t happen to folks running XP (seems obvious, but I’ll state it)
- Everything is fine initially with no lockout issues. I’m not sure when the trouble begins, but it seems to be one of the following:
- We changed our Active Directory domain passwords
- A recent windowsupdate within the past few weeks
Unfortunately, the two “possibles” pretty much coincide as far as timing goes, so I’m not sure which, but my gut tells me it’s the first one and related to caching passwords somewhere.
We don’t cache our VPN passwords. We don’t use offline folders (to my knowledge) which I believe do cache.
If not careful, I can repeatedly lock my account out every time I try and access a file share. The only cure I know is to do the following after the initial VPN connection:
- Go to the Control Panel
- Click on “User Accounts”
- Click on “User Accounts” again (on the next screen)
- Click on “Manage Your Network Passwords” under Tasks in the left sidebar.
- Select “<dialup session>” and click “Remove”
After following those steps, [and] once I get my domain account unlocked, it’ll stay unlocked. Fortunately, I’m the domain admin so I can just remote in and fix it, but geeze… Every time I connect to the VPN, it stores a new <dialup session> that I have to remember to go delete. Maddening!
More and more folks are getting Vista machines at home. I really don’t want to teach everyone at the office that 5 step dance from above followed by “then call Chris to reset your account”. That would suck.
Thus far, my web searches have been fruitless. If anyone has found a working fix to this, I’m all ears!
Possibly Related posts:
December 31st, 2007 
Tags: 
Wow, I wish that was the reason why I can’t connect to the VPN from Vista! My problem happens to be that the VPN requires MSCHAPv1 and no matter what I do in Vista, it doesn’t work.
If it wasn’t for VMWare running XP, I wouldn’t be using Vista.
Hi Alisha. I still like Vista, in general, but there are a few little annoyances that become tedious…
We have the same problem and its very frustrating. It problem seems to start when outlook is opened.
I have solved this by setting the policy “Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network authentication” = Enabled. Then Vista do not store the “” at all, and it seems like the user is no longer locked out
I ended up solving it by going back to XP for the work machine.
Good tip there Karsten. I will definitely give it a shot on the next go around!
Hi,
had the same problem. this here is the solution:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3806154&SiteID=17