Windows 10 Domain joined locking out user account regularly

Scenario:

Windows 10 x64 PC joined to Windows 2012 Functional Level Domain - Windows Server 2012 R2 DC's

After a period of activity when a user returns to there PC and unlocks it, a short time later (a few minutes) the user is prompted with "Windows needs your current credentials".  After locking the PC, occasionally the PC will indicate that it is locked out.  Further if the prompt for Windows needs your current credentials is ignored the account will often lock out a short time later.

Further, sometimes the prompt for "Windows needs your current credentials" is not received and the account locks out.  Using AD Users and Computer and looking at the object modified time, it is possible to track to the DC which locked out the account and the reason why - Kerberos Pre-Authentication failed - see attached screenshots.

The PC's are domain joined, one having been part of the Windows Insider program for some time, and another an in-place upgrade from Windows 8.1 Enterprise.  Both PC's are ruining Windows 10 Enterprise - currently not activated.

Issue has been seen for a few builds, possibly from around build 10162, as described in the similar issue here: http://www.tenforums.com/network-sharing/7973-domain-account-locked-daily.html 

|

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi Folks,

This workaround worked in oure environment for several days on multiply W10 domain computers.

Strange that it would work with the lockout situation (and I never shutdown my computer), but it works.

It's for now a local policy, but it's a nicer solution then to rumble with kerberos authentication ;).

We all have SSD, ... that's something what could cause this ...

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi,

I have a Microsoft Surface Pro 3, so with a SSD.

I have the same issue ...

Windows 10.0 (Build 10240) official one.

Skype For Business version 15.0.4745.1000 (64bits)

I apply the workaround "Do not require Kerberos preauthentication"

It works but yes, not good for the security for the enterprise policy.

the workaround "Always wait for the network at computer startup and logon" is not good if you have a laptop... so long to logon then.

Hope that Microsoft will fix this issue quickly!

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Just posting this to report that I am also having the exact same symptom.  Mine is a clean install of Win 10 Enterprise.
Ralph Bley

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Just an update.  My MS support rep is now in the process of building a Win 10 VM in his test environment to try and replicate the issue.  Hopefully he succeeds.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This local policy setting seems to have done it for me, without the issues that remained with the pre-authentication workaround.

Initial logon was a bit slower, but that is about it. At least the thing is usable now.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Just an update.  My MS support rep is now in the process of building a Win 10 VM in his test environment to try and replicate the issue.  Hopefully he succeeds.
Make sure he is using an account that has not seen windows 10 yet but has logged into a windows 8 box, otherwise he will not have any issues and claim it is a local issue. 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Just an update.  My MS support rep is now in the process of building a Win 10 VM in his test environment to try and replicate the issue.  Hopefully he succeeds.
Make sure he is using an account that has not seen windows 10 yet but has logged into a windows 8 box, otherwise he will not have any issues and claim it is a local issue. 

I've informed him of this, but has enough people verified that using a brand new account does not, in-fact, present the issue, ever?  I'm not sure it's only limited to accounts that have been used prior to Windows 10 and believe with enough testing someone would find they did have the issue with even brand new accounts. 

I only say this because the reverse is also not true for me.  I have 2 accounts and 2 workstations.  Both accounts were used prior to Win10.  I only have this issue with the specific combination of one of my accounts on one of my workstations.  Any other combo does not present the issue.  Perhaps this is just due to this specific combo being my most used one and not enough testing of the other combos has happened.  <shrug>

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

looks like I'm seeing this in server 2008 R2 also.  At least the event log is showing the kerberos pre-authentication event 4771 failures from the Windows 10 machines.  But we have account lockout turned off since we are a pretty small operation so I it hasn't hurt us yet.  And my outside access is two-factor so I'm not too worried about account lockout.

I'm more worried that they let this exist in RTM when they knew about it will in advance, and makes me wonder what other DC and AD relates surprises are out there waiting...

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Just an update.  My MS support rep is now in the process of building a Win 10 VM in his test environment to try and replicate the issue.  Hopefully he succeeds.
Make sure he is using an account that has not seen windows 10 yet but has logged into a windows 8 box, otherwise he will not have any issues and claim it is a local issue. 

I've informed him of this, but has enough people verified that using a brand new account does not, in-fact, present the issue, ever?  I'm not sure it's only limited to accounts that have been used prior to Windows 10 and believe with enough testing someone would find they did have the issue with even brand new accounts. 

I only say this because the reverse is also not true for me.  I have 2 accounts and 2 workstations.  Both accounts were used prior to Win10.  I only have this issue with the specific combination of one of my accounts on one of my workstations.  Any other combo does not present the issue.  Perhaps this is just due to this specific combo being my most used one and not enough testing of the other combos has happened.  <shrug>

I can confirm that we are getting this with a brand new account on a fresh install of Windows 10 professional so it is not linked to accounts that have previously logged into another version of Windows. 

We have 3 accounts/machines with this issue. 2 upgrades with accounts that have logged into a previous version of Windows, and the other is the fresh install with brand new account. 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

WOW, I can't believe that I have gotten through an entire day without my account getting locked out in AD, quitting time is at 5:00 PM Central, so I still have about 40 minutes to go. 

Note that I have not made any changes to my system other than the updates that I received from Microsoft on 8/12/2015.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated June 8, 2021 Views 100,734 Applies to: