User constantly getting locked out

Hi All,

I've got user where she constantly getting locked out, I believe to be it's related to Outlook. I did reimage her computer once but it didn't resolve the issue. Account is getting locked every 30 min. Need your suggestions.

0 comments No comments
Sign in to comment

3 answers

  1. Tracy Le 9,280 Reputation points Independent Advisor

    Hi Yusuf Pertekli, Vodafone,

    Excellent troubleshooting. If turning off that specific laptop stops the lockouts completely, we have our smoking gun.

    Even on a freshly built machine, a background process or app is aggressively trying to authenticate using a bad password. It is almost always a corrupted or outdated token stuck in the cache trying to silently reconnect.

    Here is how you surgically fix this on her laptop:

    Nuke Credential Manager: Open Credential Manager -> Windows Credentials. Delete every single entry related to MicrosoftOffice, Teams, OneDrive, SSO, and any internal server IPs or names. (Do not worry, Windows will just prompt her to log in normally when she opens the apps and will generate fresh, healthy tokens).

    Check Mapped Drives: Open CMD and run net use. If she has any mapped network drives, disconnect them. Re-map them ensuring you do not use old credentials.

    Work/School Account: Go to Windows Settings -> Accounts -> Access work or school. If her account is listed there, disconnect it and reconnect it to force a fresh token sync.

    After clearing those cached credentials and rebooting her laptop, does the Event 4776 "Bad Password" spam finally stop in your DC logs?

    0 comments No comments
    Sign in to comment
  2. Tracy Le 9,280 Reputation points Independent Advisor

    Hi Yusuf Pertekli, Vodafone,

    Reimaging the computer was a waste of time because the lockout is almost certainly not coming from her main PC. If it happens repeatedly on a schedule, it is an automated sync attempt using an old cached password.

    Since you already wiped her computer, the culprit is 99% a mobile device (phone/tablet with an old Exchange/Outlook profile), a secondary machine she logged into, or a stale disconnected RDP session.

    Stop guessing and find the exact source immediately:

    Log into your Primary Domain Controller (or the DC that processes her authentications).

    Open Event Viewer > Windows Logs > Security.

    Filter the log for Event ID 4740 (A user account was locked out).

    Open the event for her username and look at the Caller Computer Name.

    That field will tell you exactly which device is hammering the Active Directory with bad passwords. (If it shows your Exchange or RADIUS server, you will need to check their respective logs to find the real source IP).

    What device name is showing up in that 4740 event log?

    Tracy.

    1. Yusuf Pertekli, Vodafone 0 Reputation points

      Lock is coming from her current fresh built laptop. Old laptop was removed from AD. Her laptop was off for a day and her account didn't locked once. I don't think it's coming her from phone. I've updated her credential details there as well.

    Sign in to comment

  3. AI answer

    For a user whose account is being locked every 30 minutes and is suspected to be related to Outlook, focus on identifying repeated bad password attempts and any Outlook-specific credential issues.

    1. Understand the lockout behavior
    • In a Microsoft Entra Domain Services managed domain, by default 5 bad password attempts within 2 minutes will lock the account, and it automatically unlocks after 30 minutes. If something (user, Outlook, or another app/service) keeps retrying with a bad password, the account will repeatedly lock on this cycle.
    1. Check for common lockout causes According to the documented common reasons:
    • The user may still be using an old password after a recent password change.
    • An application or service (such as Outlook, another mail profile, mobile device, or background service) may be using stored old credentials and repeatedly trying to sign in.
    • The password may have been changed in a different environment (for example, on-premises AD vs. Entra) and synchronization delay could cause temporary lockouts if the user signs in before sync completes.
    1. Focus on Outlook-related causes
    • For Outlook 2016 specifically, there is a known issue where if a user types an incorrect credential and then cancels the password prompt, Outlook may continue sending requests with the incorrect credentials, causing account lockouts.
    • The fix for this is to install the April 2, 2019 update for Outlook 2016 (KB4464502). After this update, Outlook 2016 is prevented from sending requests during “Need Password” by default.
    1. Practical steps to troubleshoot
    1. Verify lockout pattern
    • Confirm that the lockouts align with the 30-minute automatic unlock window. This strongly indicates repeated bad password attempts from some client or service.
    1. Identify where the bad credentials are coming from
    • Check all devices and apps where this user’s account is configured (desktop Outlook, laptops, mobile devices, services, scheduled tasks, etc.) and ensure the current password is used everywhere.
    • Remove or update any stored credentials that might still hold the old password.
    1. Update Outlook
    • If the user is on Outlook 2016, ensure that KB4464502 is installed so Outlook does not continue sending bad credentials after a canceled prompt.
    1. Avoid raising thresholds
    • The default lockout policy (5 bad attempts in 2 minutes, 30-minute lockout) is implemented via fine-grained password policy. It is not recommended to increase thresholds to “mask” the problem. Instead, identify and fix the source of bad sign-ins.
    1. If using Microsoft Entra Domain Services
    • Remember that fine-grained password policies apply only within the managed domain. Changing the policy does not unlock an already locked account; the account must either auto-unlock after the lockout duration or be handled per your admin process.

    Once all clients and services are corrected to use the right password and Outlook is updated (if applicable), the repeated 30-minute lockout cycle should stop.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer