I'm dealing with a persistent issue where one user's account locks out daily, sometimes even multiple times within the same day. We're running a hybrid environment with Windows 10/11, and the lockouts always occur on-premises. Here's what we've tried so far to resolve the issue:
- Resetting the password
- Forcing a password resync by setting it to the same value
- Clearing the Windows Credential Manager
- Removing and remapping network drives
- Signing the user out of all active sessions
- Disabling the user's desk phone, suspecting it might cache credentials
- Reinstalling the Company Portal
- Reimaging both the current and the previous computer of the user
- Checking for failed logins from other devices
- Reviewing CrowdStrike events, which consistently report the same error: KDC_ERR_S_PRINCIPAL_UNKNOWN (External error)
I'm open to any suggestions on what might be causing this issue since we feel like we've tried everything. Thank you!
1 Answer
It sounds like something is storing an old password. Since you're in a hybrid environment, you should definitely check the Domain Controllers for account lockout events, specifically event 4740. That should help you trace the source of the lockout to a specific host if it's happening daily.
Absolutely, that's where I'd start too! Tracking down those events can really shed light on the issue.