MORE INFORMATION

You can unlock a workstation either manually or by means of a program (for example, by using a screen saver). When the workstation is locked and you attempt to unlock it, you can observe standard expected behaviors from the unlocking process.

When a user logs on to a computer, the Winlogon Service stores a hash of the user's password for future unlock attempts. When the user attempts to unlock the workstation, this stored copy of the password is verified. If the password entered at the unlock dialog request and stored hash match, the workstation is unlocked. If the password entered does not match the stored hash, the workstation attempts to logon (authenticate the password). If the logon process succeeds, the local hash is updated with the new password. If the logon process is unsuccessful, the unlock process is also unsuccessful.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
The preceding process has been designed to limit network traffic generated by the workstation. However, if more stringent behavior is needed, there is a registry entry to force the workstation to logon (authenticate) at every unlock attempt. The following registry setting is received every time the computer is locked:

ForceUnlockLogon
REG_DWORD
0 - Do not force authentication inline (default)
1 - Require online authentication to unlock

The preceding value controls whether a full logon is performed during the unlock process. This can force a validation at the domain controller for the user attempting the unlock process.

Note If the value is not present, it functions as if it had been set to 0 (zero).


For more information about the ForceUnlockLogon registry value, click the following article numbers to view the articles in the Microsoft Knowledge Base: