Windows 7 Outlook ADUC Lockout

Posted on 2014-09-03
Last Modified: 2015-03-25
Hello EE,

I am currently having an issue with my Windows 7 account on our company server. After a certain amount of time my computer will lock me out without inputting incorrect login information, not even once. I see a bubble pop up in the bottom right corner which says,

“Windows needs your current credentials. Please lock this computer, then unlock using your most recent credentials or smart card.”

I then have to go into ADUC remotely and unlock my account manually so I do not get locked and have to log into another admin account and connect to ADUC remotely.
When this occurs, I am locked out of Outlook Office 2013 as well for about 30 - 60 minutes, or until Outlook registers the correct credentials.

Another high priority user connected to our domain is now having a similar issue without the Windows Account lockout, but he is only being locked out of connecting in Microsoft Outlook 2013 and when this occurs for him Outlook prompts a login and password field so that he can insert the correct credentials which fails and automatically repairs itself an hour later.

I have noticed a few things happening in ADUC
In ADUC – Attribute Editor – “badPwdCount – 10” When this hits 10, I am locked out of my account. This is due to the settings in group policy.
Event Viewer on our Mail server.
Windows Logs > Security

Audit Failure (every 5-8 seconds)
Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

as well as 4776 codes from my workstation and does not show what was trying to authenticate.

I am assuming that something in Outlook is registering incorrect credentials when checking for mail and causing a lockout

I have tried clearing key manager.
Shutdown all programs that connect to this workstation (logmein, antivirus?).
Investigated any workstation mistakenly attemping to login as me.
Checked Kerberos DES encryption in ADUC and it was deactivated (unchecked).
Set gpedit.msc "always wait for the network at computer startup and logon to enabled.
Question by:hospicesj
  • 2
  • 2
LVL 14

Accepted Solution

Brad Groux earned 500 total points
ID: 40303488
Verify that no secondary or mobile devices are trying to access your Exchange account - which could be locking you out as well. Something is triggering those failed login attempts. With that said, if password complexity is set to high and password history is in place, you may want to rethink your lockout policy (as in disable it).

Also, insure that the time settings on the workstations match the time on the domain controllers. You should be getting your time from the DC(s) that you are authenticating with, they should be getting their time from the PDC (Primary Domain Controller) and the PDC should be getting the time from an NTP (Network Time Protocol) source.

All Domain Controllers except the PDC should be set to NT5DS time settings, and the PDC should be set to NTP and pointed to an external time source. In Active Directory, time consistency is far more important than accuracy. See here for details -

Author Comment

ID: 40310127
I have verified that no secondary mobile devices are attempting to access my workstation. I have removed any apps over the weekend that would communicate with my workstation at all (LogMeIn). I have also verified and re-synced the timing of my workstation to match the DC. It looks to have always been syncing correctly. I can also confirm that the PDC is set to NTP time settings while the other DC's are set to NT5DS time settings.

After double checking last Friday and allowing my PC to stay on all weekend with no programs running, I came into work this morning with my account being locked in ADUC. I also received the notification bubble in the bottom right corner of the screen that told me to lock my PC and re-confirm my credentials by logging back in.
LVL 14

Expert Comment

by:Brad Groux
ID: 40310151
That's a bummer. Have you reviewed the event logs on both the DCs that your workstation authenticates to as well as your workstation to try and see if you can figure out what system is failing?

Something I also failed to mention above was verifying that no scheduled tasks are being run with the old credentials (rare, but happens). You may just for due diligence sake run full virus and spyware tests to insure that no malware is on the machine - I'd recommend Sypbot Search and Destroy along with your normal domain AV solution.

The only real option after that is to disable the lockout policy on the network. I know it sounds drastic, but it is actually Microsoft best practice now to disable account lockout policy if both Password History and Password Complexity are set within the environment.

Author Comment

ID: 40328790
I did try the troubleshooting steps you included in your response. There seems to be no issue at all. The next step for us is to have Microsoft look into the issue. One thing I would love to do but cannot due to HIPAA restrictions, is disable the account lockout policy.

One thing I do have in common with the other high priority user is that we both plug our phones in so they can charge through the USB port. We seem to be the only ones doing this and after a bit of research I cant see any reason why this would cause the computer to attempt to authenticate. I will see how the frequency is affected while the phone is plugged in and while it's not, but I don't see that being the reason for this issue.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Zimbra is famous for its platform independency, ability to manage multiple user accounts, easy assimilation with 3rd party applications, social network certification etc. Here, we discuss about how users can move multiple Zimbra user accounts to Exc…
Resolve DNS query failed errors for Exchange
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question