Windows 7 Outlook ADUC Lockout

Hello EE,

I am currently having an issue with my Windows 7 account on our company server. After a certain amount of time my computer will lock me out without inputting incorrect login information, not even once. I see a bubble pop up in the bottom right corner which says,

“Windows needs your current credentials. Please lock this computer, then unlock using your most recent credentials or smart card.”

I then have to go into ADUC remotely and unlock my account manually so I do not get locked and have to log into another admin account and connect to ADUC remotely.
When this occurs, I am locked out of Outlook Office 2013 as well for about 30 - 60 minutes, or until Outlook registers the correct credentials.

Another high priority user connected to our domain is now having a similar issue without the Windows Account lockout, but he is only being locked out of connecting in Microsoft Outlook 2013 and when this occurs for him Outlook prompts a login and password field so that he can insert the correct credentials which fails and automatically repairs itself an hour later.

I have noticed a few things happening in ADUC
In ADUC – Attribute Editor – “badPwdCount – 10” When this hits 10, I am locked out of my account. This is due to the settings in group policy.
Event Viewer on our Mail server.
Windows Logs > Security

Audit Failure (every 5-8 seconds)
Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

as well as 4776 codes from my workstation and does not show what was trying to authenticate.

I am assuming that something in Outlook is registering incorrect credentials when checking for mail and causing a lockout

I have tried clearing key manager.
Shutdown all programs that connect to this workstation (logmein, antivirus?).
Investigated any workstation mistakenly attemping to login as me.
Checked Kerberos DES encryption in ADUC and it was deactivated (unchecked).
Set gpedit.msc "always wait for the network at computer startup and logon to enabled.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
Verify that no secondary or mobile devices are trying to access your Exchange account - which could be locking you out as well. Something is triggering those failed login attempts. With that said, if password complexity is set to high and password history is in place, you may want to rethink your lockout policy (as in disable it).

Also, insure that the time settings on the workstations match the time on the domain controllers. You should be getting your time from the DC(s) that you are authenticating with, they should be getting their time from the PDC (Primary Domain Controller) and the PDC should be getting the time from an NTP (Network Time Protocol) source.

All Domain Controllers except the PDC should be set to NT5DS time settings, and the PDC should be set to NTP and pointed to an external time source. In Active Directory, time consistency is far more important than accuracy. See here for details -

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hospicesjAuthor Commented:
I have verified that no secondary mobile devices are attempting to access my workstation. I have removed any apps over the weekend that would communicate with my workstation at all (LogMeIn). I have also verified and re-synced the timing of my workstation to match the DC. It looks to have always been syncing correctly. I can also confirm that the PDC is set to NTP time settings while the other DC's are set to NT5DS time settings.

After double checking last Friday and allowing my PC to stay on all weekend with no programs running, I came into work this morning with my account being locked in ADUC. I also received the notification bubble in the bottom right corner of the screen that told me to lock my PC and re-confirm my credentials by logging back in.
Brad GrouxSenior Manager (Wintel Engineering)Commented:
That's a bummer. Have you reviewed the event logs on both the DCs that your workstation authenticates to as well as your workstation to try and see if you can figure out what system is failing?

Something I also failed to mention above was verifying that no scheduled tasks are being run with the old credentials (rare, but happens). You may just for due diligence sake run full virus and spyware tests to insure that no malware is on the machine - I'd recommend Sypbot Search and Destroy along with your normal domain AV solution.

The only real option after that is to disable the lockout policy on the network. I know it sounds drastic, but it is actually Microsoft best practice now to disable account lockout policy if both Password History and Password Complexity are set within the environment.
hospicesjAuthor Commented:
I did try the troubleshooting steps you included in your response. There seems to be no issue at all. The next step for us is to have Microsoft look into the issue. One thing I would love to do but cannot due to HIPAA restrictions, is disable the account lockout policy.

One thing I do have in common with the other high priority user is that we both plug our phones in so they can charge through the USB port. We seem to be the only ones doing this and after a bit of research I cant see any reason why this would cause the computer to attempt to authenticate. I will see how the frequency is affected while the phone is plugged in and while it's not, but I don't see that being the reason for this issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.