Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Windows 7 Outlook ADUC Lockout

Posted on 2014-09-03
Medium Priority
Last Modified: 2015-03-25
Hello EE,

I am currently having an issue with my Windows 7 account on our company server. After a certain amount of time my computer will lock me out without inputting incorrect login information, not even once. I see a bubble pop up in the bottom right corner which says,

“Windows needs your current credentials. Please lock this computer, then unlock using your most recent credentials or smart card.”

I then have to go into ADUC remotely and unlock my account manually so I do not get locked and have to log into another admin account and connect to ADUC remotely.
When this occurs, I am locked out of Outlook Office 2013 as well for about 30 - 60 minutes, or until Outlook registers the correct credentials.

Another high priority user connected to our domain is now having a similar issue without the Windows Account lockout, but he is only being locked out of connecting in Microsoft Outlook 2013 and when this occurs for him Outlook prompts a login and password field so that he can insert the correct credentials which fails and automatically repairs itself an hour later.

I have noticed a few things happening in ADUC
In ADUC – Attribute Editor – “badPwdCount – 10” When this hits 10, I am locked out of my account. This is due to the settings in group policy.
Event Viewer on our Mail server.
Windows Logs > Security

Audit Failure (every 5-8 seconds)
Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

as well as 4776 codes from my workstation and does not show what was trying to authenticate.

I am assuming that something in Outlook is registering incorrect credentials when checking for mail and causing a lockout

I have tried clearing key manager.
Shutdown all programs that connect to this workstation (logmein, antivirus?).
Investigated any workstation mistakenly attemping to login as me.
Checked Kerberos DES encryption in ADUC and it was deactivated (unchecked).
Set gpedit.msc "always wait for the network at computer startup and logon to enabled.
Question by:hospicesj
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 14

Accepted Solution

Brad Groux earned 2000 total points
ID: 40303488
Verify that no secondary or mobile devices are trying to access your Exchange account - which could be locking you out as well. Something is triggering those failed login attempts. With that said, if password complexity is set to high and password history is in place, you may want to rethink your lockout policy (as in disable it).

Also, insure that the time settings on the workstations match the time on the domain controllers. You should be getting your time from the DC(s) that you are authenticating with, they should be getting their time from the PDC (Primary Domain Controller) and the PDC should be getting the time from an NTP (Network Time Protocol) source.

All Domain Controllers except the PDC should be set to NT5DS time settings, and the PDC should be set to NTP and pointed to an external time source. In Active Directory, time consistency is far more important than accuracy. See here for details -

Author Comment

ID: 40310127
I have verified that no secondary mobile devices are attempting to access my workstation. I have removed any apps over the weekend that would communicate with my workstation at all (LogMeIn). I have also verified and re-synced the timing of my workstation to match the DC. It looks to have always been syncing correctly. I can also confirm that the PDC is set to NTP time settings while the other DC's are set to NT5DS time settings.

After double checking last Friday and allowing my PC to stay on all weekend with no programs running, I came into work this morning with my account being locked in ADUC. I also received the notification bubble in the bottom right corner of the screen that told me to lock my PC and re-confirm my credentials by logging back in.
LVL 14

Expert Comment

by:Brad Groux
ID: 40310151
That's a bummer. Have you reviewed the event logs on both the DCs that your workstation authenticates to as well as your workstation to try and see if you can figure out what system is failing?

Something I also failed to mention above was verifying that no scheduled tasks are being run with the old credentials (rare, but happens). You may just for due diligence sake run full virus and spyware tests to insure that no malware is on the machine - I'd recommend Sypbot Search and Destroy along with your normal domain AV solution.

The only real option after that is to disable the lockout policy on the network. I know it sounds drastic, but it is actually Microsoft best practice now to disable account lockout policy if both Password History and Password Complexity are set within the environment.

Author Comment

ID: 40328790
I did try the troubleshooting steps you included in your response. There seems to be no issue at all. The next step for us is to have Microsoft look into the issue. One thing I would love to do but cannot due to HIPAA restrictions, is disable the account lockout policy.

One thing I do have in common with the other high priority user is that we both plug our phones in so they can charge through the USB port. We seem to be the only ones doing this and after a bit of research I cant see any reason why this would cause the computer to attempt to authenticate. I will see how the frequency is affected while the phone is plugged in and while it's not, but I don't see that being the reason for this issue.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Resolve DNS query failed errors for Exchange
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question