I've started setting up new PC's in our organization with Windows 7 Enterprise x64 and there's one bug I can't figure out. By default our systems are set to allow remote desktop sessions. If a user logs into their computer remotely, the following scenario becomes an issue... User has laptop and uses it when undocked (not connected to the domain). If the computer goes to sleep, it won't accept their password after waking up. If they click "other credentials" > "cancel" > "switch user" it will allow them to login. This problem is specific to the user's profile and is triggered by logging in at any point in time using remote desktop. It is only an issue when waking the computer from sleep while away from the office. It is not an issue when docked in the office. It is not an issue when just locking the PC. The only fix I've found so far is to delete the user's profile and re-create it. Below is the audit failure log entry in the security log. Thanks in advance for any help. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 8/8/2010 8:15:48 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: GBP1210975.packers.net Description: An account failed to log on. Subject: Security ID: SYSTEM Account Name: GBP1210975$ Account Domain: PACKLAN Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID: NULL SID Account Name: conard Account Domain: PACKLAN Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x3d8 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: GBP1210975 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2010-08-09T01:15:48.135981000Z" /> <EventRecordID>1600</EventRecordID> <Correlation /> <Execution ProcessID="688" ThreadID="1188" /> <Channel>Security</Channel> <Computer>GBP1210975.packers.net</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">GBP1210975$</Data> <Data Name="SubjectDomainName">PACKLAN</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">conard</Data> <Data Name="TargetDomainName">PACKLAN</Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">7</Data> <Data Name="LogonProcessName">User32 </Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">GBP1210975</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x3d8</Data> <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data> <Data Name="IpAddress">127.0.0.1</Data> <Data Name="IpPort">0</Data> </EventData> </Event>

What do you mean by “logging in at any point in time using remote desktop”? If anyone is logging in from remote computer, the computer will not go into sleep mode. What is the kind of the user profiles? Local user profile or domain user profile? Which antivirus did you deploy onto the computers? How does it work if you temporary disable it?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for the reply... I'll try to clarify as best as I can. What do you mean by “logging in at any point in time using remote desktop”? This is the scenario. User is given a new PC and all works as it should for weeks. User then accesses the computer via RDP one day. From that point on whether they're logged into the PC via RDP or locally, if the computer wakes from hibernation and is off the network it won't accept their password. What is the kind of the user profiles? Local user profile or domain user profile? Domain user profile. We do not use roaming profiles. The profile is specific to that PC. Which antivirus did you deploy onto the computers? How does it work if you temporary disable it? We use McAfee VirusScan Enterprise 8.7.0i. Disabling McAfee didn't help at all and the McAfee logs do not show anything related. Thanks again for the help, I appreciate it.

As I know, for most McAfee antiviruses, although we disable it from UI, their engines are still running. Therefore I suggest you remove McAfee from one of the problematic computer as a test. After doing so we can confirm if the issue is caused by the antivirus. Also, after removing McAfee, please delete the cached credentials. Then please see if the issue still occurs. How to DELETE Windows Local & Domain Cached Credentials Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. If the above suggestions do not help, please check the permissions of the branch HKEY_LOCAL_MACHINE\SECURITY. Make sure that SYSTEM has Full Control on the branch SECURITY.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sorry for the long delay on this... here's an update. I had another user experience the issue, so I tried your suggestions but haven't had any luck. Here's a breakdown of what I did... Completely Remove Mcafee (Antivirus, Antispyware and Agent) Reboot Login while connected to the LAN, disconnect from LAN, then put computer to sleep. When I tried logging in it still had the issue. Logged in as the local administrator Checked permission for HKEY_LOCAL_MACHINE\SECURITY\CACHE and SYSTEM had full control. Exported HKEY_LOCAL_MACHINE\SECURITY\CACHE for a backup Deleted the cached credentials (Set value to zero for HKEY_LOCAL_MACHINE\SECURITY\CACHE\NL1$, it was the only one)> Reboot Login while connected to the LAN Reboot and disconnect from LAN Tried logging in and it would not even attempt to because it did not see the DC (sorry, don't have the exact message) Removed computer from the domain and re-joined, but that did not fix it. Set the number of cached credentials to zero, rebooted, reset to 10, rebooted, logged in while connected to LAN, then while off the LAN, same issue. Imported the .reg file and now I'm back to square one. As a workaround I enabled this local group policy. (Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon: Display user information when the session is locked > Security Setting = User display name only) Now at the logon screen I have to type in my username each time, but it does unlock the machine.

I can't say for sure that Windows 7 Service Pack 1 took care of the issue, but ever since we started deploying computers with SP1, none of them have experienced this issue.