While I am waiting for the return call from Microsoft (which is going to cost 299 Euros, by the way), I figured I'd share this phenomenon with you all:

We have a new laptop in the company preinstalled with Windows Vista Business - our first try with the new OS. I brought this notebook into the Windows 2000 domain, which went okay. Now when a domain user logs into the computer, everything appears to work okay (i.e the network drives connect and the user profile is created on the laptop), except......

(take a deep breath)

The user's domain account is deactivated and the domain admin (me) needs to unlock the user's account before they can relog into the domain again. This happens every time and with every user that tries to log into this computer.

What on earth could cause this?

I have also checked in the AD User properties and there are no restrictions stating that users are allowed to only log in from certain machines.

Any takers?

Unlocking sounds like it is sending the wrong password multiple times and getting locked out or another group policy is locking them out, like the date is incorrect on the machine. Look in the event viewer on the DC and the machine for errors. You may have to turn on more logging if you are using the defaults for Security.

Nothing unusual showing on the DC side system logs. I will check the notebook's logs later on.

Edit... Nothing there except a few hints to the time not being correctly synchronized (the message is in German so translating it will not do much good). Perhaps your hint about time being off may be the way to pursue, variable. I wouldn't even know where to start looking at how to fix this problem, though. And why would this only happen with the Vista machine? This is getting irritating, and MS hasn't called back yet either :(.

If an account is getting locked out there shoudl be a event message. Is the machine directly conencted to the domain or are they using VPN?

They are directly connected to the network and getting an address via dhcp.

I still don't see any events that someone is getting booted. Perhaps I need to turn this logging on extra (if so, I can't find where to do this, as it is not listed within the other logging options)?

I am really thinking that some domain group policy is not liking the way Vista logs on for some reason, and is then in turn booting the user as a punishment. I have looked through the group policy editor, however, and I don't see any active rules that it may be - except for perhaps one of the kerberos rules?

So, a little bit of progress to report anyway...

While working through this problem with MS, I discovered that users who do not use a login script are not locked out of the domain upon loggin into the Vista machine.

This means that the problem is somewhere in the way Vista is handling the login scripts - used only to map drives and add default printers. Normally I could look and see exactly where this script is hanging (through the dos window that pops up while the login scripts are running) but Vista conveniently blends this out four our 'benefit'...:mad:

So I guess now all there's left to do is to piece the script back together one piece at a time until the problem repeats. Then I'll let you all know exactly what it is about the script that is not working. MS Support is also analyzing these scripts at this time, so sooner or later (I assume) either I or they will figure this out...:cool:

This is the script that Vista can't seem to carry out correctly, although Windows XP has no problems with it:

REM ----------- Printers -----------------

\\servername\netlogon\con2prt.exe /c \\printservername\LJ4100

\\servername\netlogon\con2prt.exe /c \\printservername\LJ5000N

\\servername\netlogon\con2prt.exe /c \\printservername\LJ5550DN

How I could make this work with Windows Vista would now be my last challenge...

Look here
http://www.developersdex.com/asp/message.asp?p=593&r=5431945&page=2

Well at least I'm not the only one with this problem. Microsoft's suggestion was to manually add the printers via the printer assistant - why am I not surprised?

Also I should have mentioned that all of the network drives are being mapped correctly for the Vista user(s), which are also done with the same .vbs script.

Somewhere during the con2prt.exe command everything is breaking down and Vista is sending the wrong passwords, resulting in the user getting booted from the domain.

MS also referred me to this page, which I am not yet certain will help me, since we have a Windows 2000 AD Schema, not 2003. Also it does not address the fact that the existing scripts work fine under Windows XP.

http://technet2.microsoft.com/WindowsVista/en/library/ab8d75f8-9b35-4e3e-a344-90d7799927231033.mspx?mfr=true

Are M$ really going to charge you for this?
They created the problem and expect you to pay for something which is a known problem?
:mad:

It is a permissions issue and the difference in how Vista applies permisisons vrs older OS's.

If you can paste the printer command into a cmd logged in as the user that runs the script and it works then it is probably the UAC. What I don't understand is why the user gets locked. It would be nice to know what group policy is forcing the account to get locked out. That would tell you a lot wouldn't it? If the machine sends the wrong username, it would not affect the domain user, it must be sending the right username and the wrong password or it is tripping another group policy parameter. Without knowing why the account is locked out you are groping blindly for a solution. Disabling UAC may fix it but it would be nice to troubleshoot the issue. Since part of it works and part of it doesn't it could be unrelated to the UAC. The link I sent has two areas I would try, one is the interactive user and it's permission level on the exe having the issue. The other is the user logging in also being a member of the local admin group.
I woulnd't blame MS until you understand the issue better. It very well could be your group policy or your machine local security policy set up. there are too many holes in the info right now.

Thanks Variable.

It is becoming harder for me to troubleshoot this since the user has added the printer manually and has gone to work with his new laptop. I can intermittently take it back for troubleshooting purposes, however.

I can already confirm that the domain user also being a member of the local administrator group made no difference whatsoever. The user account was locked out anyway as soon as he logged in. In my domain, the only administrator-defined policy that results in a user being locked out (to the best of my knowledge) is when they send the wrong password 5 times. Microsoft told me this was too few (can't understand why that would be).

I will have to read some more about how to test the interactive user scenario.
Also if I had to choose, I would lean toward the main cause being a local security problem (by local, I mean on the client machine) of some sort as opposed to a group policy, but it must be a group policy locking the domain account as a result.

What a mess!