I've been experiencing random user account lockouts for the past few months, and I'm really struggling to pinpoint the cause or find a solution. It only affects a small number of users, but once someone gets locked out, it tends to keep happening to them.
Here's a bit of background on our setup:
- We use a Windows On-prem Active Directory with a hybrid cloud setup for Exchange/365.
- We have around 200 users, primarily on-site.
The issue usually occurs when a user tries to log in to their workstation; their account locks immediately—even when they enter the correct password. The error I see in the AD Audit tool states:
Kerberos pre-authentication failed for *username* from 192.168.62.19. Status: Failure. Reason: Account disabled, expired, or locked out.
Interestingly, this only happens while users are on-site with their laptops—remote access seems to be fine.
I've already done some troubleshooting: cleared the credential manager, checked for old credentials on mapped drives and services, and made sure that passwords on mobile devices accessing Outlook are updated. I've also ensured that NTP is configured correctly and syncing back to the Domain Controller.
Despite all this, the error message just loops back to saying, "your account is locked out because it's been locked out." I'm genuinely out of ideas. Any help would be appreciated!
2 Answers
Are you using 802.1x for Wi-Fi authentication? If so, that could be part of the problem. Also, double-check that you've cleared everything in the credential manager on the workstation—this should be your first step. Sometimes, cached VPN credentials can try to connect while in the office, leading to lockouts.
If you haven't already, look for Event IDs 4740 and 4625; they could provide valuable insight into what's causing the lockouts. Knowing which events are related will help narrow things down.
Have you checked the hidden credential store? I had a similar issue once, and using PsExec helped me sort it out. You can download PsExec.exe from the Sysinternals page and follow these steps:
1. Put PsExec in C:WindowsSystem32.
2. Run `psexec -i -s -d cmd.exe` from the command prompt.
3. Then, in the new DOS window, run `rundll32 keymgr.dll,KRShowKeyMgr`. That worked like a charm for me!
Thanks, I'll give that a shot!
Thanks for the tips! We're not using 802.1x, and I'm sure we've cleared cached credentials, but I'll check those event IDs next. We only see 4625 and 4771 events for this issue.