I came across an interesting problem the other day. A client had a user who was out of the office. The site administrator changed the user’s AD password, but the user was still logged in to her desktop computer under her old credentials.
The next day, the administrator went to the user’s computer to check an email, and she received the expected “invalid credentials” error message. Following the onscreen instructions, she locked the computer and unlocked it using the new password. This “worked”, in the sense that the password was accepted by Windows XP. But she was prompted for a password when opening Outlook and got a “access denied” error message when accessing network shares.
She called me, and I advised her to log off and log back on the computer. When this didn’t help, I had her reboot the computer. When this didn’t work, I accessed the computer remotely and tried logging in as that user.
I logged in using the new password, which Windows XP happily accepted. However, the login script hung on an “invalid password” error and I too got “access denied” messages when accessing network shares. But what was strange is that the login script accepted the username and new password when entered manually.
I figured something must have been screwed up with the user’s cached credentials, so I clicked Start > Run and typed the following:
rundll32.exe keymgr.dll, KRShowKeyMgr
This opened a window with the user’s cached credentials. I could have clicked “Remove”, but instead I clicked on “Properties” for the domain credentials and put the new password in.
And everything started working again.