Solved

Windows 7 Outlook ADUC Lockout

Posted on 2014-09-03
4
150 Views
Last Modified: 2015-03-25
Hello EE,

I am currently having an issue with my Windows 7 account on our company server. After a certain amount of time my computer will lock me out without inputting incorrect login information, not even once. I see a bubble pop up in the bottom right corner which says,

“Windows needs your current credentials. Please lock this computer, then unlock using your most recent credentials or smart card.”

I then have to go into ADUC remotely and unlock my account manually so I do not get locked and have to log into another admin account and connect to ADUC remotely.
When this occurs, I am locked out of Outlook Office 2013 as well for about 30 - 60 minutes, or until Outlook registers the correct credentials.

Another high priority user connected to our domain is now having a similar issue without the Windows Account lockout, but he is only being locked out of connecting in Microsoft Outlook 2013 and when this occurs for him Outlook prompts a login and password field so that he can insert the correct credentials which fails and automatically repairs itself an hour later.

I have noticed a few things happening in ADUC
In ADUC – Attribute Editor – “badPwdCount – 10” When this hits 10, I am locked out of my account. This is due to the settings in group policy.
Event Viewer on our Mail server.
Windows Logs > Security

Audit Failure (every 5-8 seconds)
Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

as well as 4776 codes from my workstation and does not show what was trying to authenticate.

I am assuming that something in Outlook is registering incorrect credentials when checking for mail and causing a lockout

I have tried clearing key manager.
Shutdown all programs that connect to this workstation (logmein, antivirus?).
Investigated any workstation mistakenly attemping to login as me.
Checked Kerberos DES encryption in ADUC and it was deactivated (unchecked).
Set gpedit.msc "always wait for the network at computer startup and logon to enabled.
0
Comment
Question by:hospicesj
  • 2
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 500 total points
ID: 40303488
Verify that no secondary or mobile devices are trying to access your Exchange account - which could be locking you out as well. Something is triggering those failed login attempts. With that said, if password complexity is set to high and password history is in place, you may want to rethink your lockout policy (as in disable it).

Also, insure that the time settings on the workstations match the time on the domain controllers. You should be getting your time from the DC(s) that you are authenticating with, they should be getting their time from the PDC (Primary Domain Controller) and the PDC should be getting the time from an NTP (Network Time Protocol) source.

All Domain Controllers except the PDC should be set to NT5DS time settings, and the PDC should be set to NTP and pointed to an external time source. In Active Directory, time consistency is far more important than accuracy. See here for details - http://technet.microsoft.com/en-us/library/cc786897(v=WS.10).aspx
0
 

Author Comment

by:hospicesj
ID: 40310127
I have verified that no secondary mobile devices are attempting to access my workstation. I have removed any apps over the weekend that would communicate with my workstation at all (LogMeIn). I have also verified and re-synced the timing of my workstation to match the DC. It looks to have always been syncing correctly. I can also confirm that the PDC is set to NTP time settings while the other DC's are set to NT5DS time settings.

After double checking last Friday and allowing my PC to stay on all weekend with no programs running, I came into work this morning with my account being locked in ADUC. I also received the notification bubble in the bottom right corner of the screen that told me to lock my PC and re-confirm my credentials by logging back in.
0
 
LVL 14

Expert Comment

by:Brad Groux
ID: 40310151
That's a bummer. Have you reviewed the event logs on both the DCs that your workstation authenticates to as well as your workstation to try and see if you can figure out what system is failing?

Something I also failed to mention above was verifying that no scheduled tasks are being run with the old credentials (rare, but happens). You may just for due diligence sake run full virus and spyware tests to insure that no malware is on the machine - I'd recommend Sypbot Search and Destroy along with your normal domain AV solution.

The only real option after that is to disable the lockout policy on the network. I know it sounds drastic, but it is actually Microsoft best practice now to disable account lockout policy if both Password History and Password Complexity are set within the environment.
0
 

Author Comment

by:hospicesj
ID: 40328790
I did try the troubleshooting steps you included in your response. There seems to be no issue at all. The next step for us is to have Microsoft look into the issue. One thing I would love to do but cannot due to HIPAA restrictions, is disable the account lockout policy.

One thing I do have in common with the other high priority user is that we both plug our phones in so they can charge through the USB port. We seem to be the only ones doing this and after a bit of research I cant see any reason why this would cause the computer to attempt to authenticate. I will see how the frequency is affected while the phone is plugged in and while it's not, but I don't see that being the reason for this issue.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now