Weird AD password issue, any ideas?
Posted by 3100gutter@reddit | sysadmin | View on Reddit | 78 comments
This morning I have had 4 different users report an identical issue:
User goes to log into their domain-joined Windows PC, puts in their normal password, gets an incorrect password error.
Restarting the computer leads to the same thing happening.
I reset their password for them, give them the temporary, and the same thing happens. Whether I'm putting it in for them or they're typing it themselves, incorrect password each time.
So I log into my account, no problems logging in at all.
I do nothing, log out, have them attempt again, and now suddenly they can log in with no issue.
Never seen this particular issue before, but it's weird that I'm suddenly getting multiple users across different sites having this identical issue today.
Extra info: checked the last password change date, and all users had not changed their passwords recently, so it's not like they got reset without them knowing.
Proud_Contribution64@reddit
Ran into the issue a couple times. After trying everything, had user click other user for the heck of it and enter their username and password and all was good
GhoastTypist@reddit
Or is it an issue with the computer losing connection to the DC during connection so the password isn't updating with the PC?
I have seen some weird dns and networking issues causing similar things in the past. Never 4 users at one time, but had they all been connected to the same switch or hub, its possible.
Eggslaws@reddit
Keyboard layout?
InsaneITPerson@reddit
I had a similar issue. I had the user switch to other user then use the domain\username format to log in. It worked and so did subsequent logins.
greatpebble@reddit
We’ve been having this for weeks, if there’s more than 1 user account cached on the computer then the account is actually trying to authenticate against the other persons account. Person X sees their name so they try to log in, person Y has previously logged in on that computer at one point, person X gets “incorrect password” but looking at logs Person Ys account is trying to log in. Usually a reboot fixes it because it uncaches the other account. When you click log in as another user it will allow you to fully log in but next time the computers locked the same issue is happening.
3100gutter@reddit (OP)
Might be a dumb question, but where did you check to verify this? Our audit policy might not be set up correctly apparently.
bcredeur97@reddit
I hate reading this.
kirashi3@reddit
Could it be related to this? Fast User Switching seems to have broken after a recent Windows 11 update. We only noticed it on front desk computers shared by multiple staff members. Telling staff to click "Other User" then manually type in their full email address is our current workaround until Microsoft fixes this with another update.
https://learn.microsoft.com/en-ca/answers/questions/5858421/kb5077181-unable-to-switch-between-logged-in-users
Sammeeeeeee@reddit
Had the same issue this morning
therankin@reddit
First ever time we saw the issue was today too.
SmasherOfDaButtons@reddit
I've seen this work more times than I care to admit. User types in a known-good password and can't login. Click switch user, type in same username/pw combo and they get right back into their session. Shit like that is why I drink. No way to rationally explain it to an end user.
Weary-Bear7923@reddit
Had the same thing on some entra joined computer
pakman82@reddit
Wait a minute. I think I'm getting this on my work machine. I gave up and used outlook on mobile.
Nanis23@reddit
This is why I hate this field. There are always new bugs in stuff that worked reliably for years. We will never get a break
GeekgirlOtt@reddit
Between the MDM, ABM, CSP, m365 consoles, mail filter service, cell carrier, Windows updates, it's a miracle rare event to get thru an onboard without some kind of delay.
3100gutter@reddit (OP)
One of our techs had a user try that and it worked, so it's good to know an easy work around, thanks for that. Would be nice to know why it's happening though.
thy4205@reddit
Something similar happened to me when the workstations were upgraded to Win11 and the 2003 domain controllers got mad with it and doesn’t allow login on random basis. Solved it with domain controllers migration.
But I don’t suppose that’s the issue for ya lolol, it’s 2003 after all.
TheJessicator@reddit
Is AD replication healthy? Any domain controllers offline? Errors or warnings?
Need_no_Reddit_name@reddit
dcdiag as well
TheJessicator@reddit
Absolutely, I was just giving a starting point.
8ftmetalhead@reddit
I've had 3 users report they can't login and their password is reporting as incorrect. For whatever reason, instead of signing in showing their details, the PC shows 'unlock the pc'. Either hitting switch user and logging in or rebooting fixed this. Really odd problem, but I assume patch Tuesday broke something
Netfade@reddit
Out of interest, do you have Server 2025 on some DC's but not all?
951812A@reddit
I’ve seen this issue and I do.
3100gutter@reddit (OP)
No not for our DC's, they're both on 2022.
purplemonkeymad@reddit
This reminds me of that story about the computer where they couldn't sign in when standing up. In the end it was that the n & m keys were swapped, people used touch typing when sitting, but had to hunt when standing, causing the mix up of characters.
Have you checked for keyboard or layout issues? Faulty keys/low battery might be missing characters in the password.
OptimalDescription39@reddit
The cached token issue on multi-user machines matches exactly what you're describing and the fact that Other User workaround fixes it points right at that. Sounds like something a recent update introduced. Worth checking if all affected machines share a recent patch date.
CyborgPenguinNZ@reddit
try clear kerberos tickets on the affected ws?
klist purge klist purge -li 0x3e7
cjbarone@reddit
https://www.reddit.com/r/sysadmin/comments/1tc5doc/accounts_locking_out_after_patch_tuesday/
Are the accounts using RC4 encryption?
Usr0017@reddit
This was it in my case, adjusted the encryption in computeraccount and did a rejoin. Fixxed the issues
Jasa004@reddit
Can anyone with same issues confirm that the workstations have following updates?
2026-05 Security update (KB5089549) (26200.8457)
2026-05 .NET Framework Security update (KB5087051)
jcpham@reddit
Num lock not on is my guess
mcdonamw@reddit
Happens all the time in my environments. Get a tool to monitor bad passwords. They are likely logged into some system with the old password and it keeps locking the account before they get a chance to log in successfully.
Often happens with mobile devices, especially those using user creds to auth to wifi.
Even outlook on their phone can do it.
lithobreaker@reddit
Could be a time sync issue. If the clocks on the workstations were out of sync with the DC, auth will fail. Then if the clocks resync, like they're supposed to do, it will magically start working again.
machaus99@reddit
Yeah, feels Kerberos-ish
HappyTechnicus@reddit
Do you sync with Azure? I had this issue with the mobile Teams app on a user’s phone locking their account. Deleted the app and the password resets began working again.
ButterflyPretend2661@reddit
I have this same issue sometimes. if you find the solution let me know as we have looked at everything for like 2 years now. it doesn't happen frequently but we just don't know the cause.
therankin@reddit
We've only ever seen the issue today too like OP. Weird stuff.
ButterflyPretend2661@reddit
if it only started today are you deploying 2026-5 already? for us this happens with no correlation to updates or network. but aparetly it's happening to more people today.
therankin@reddit
We haven't pushed the latest update forcefully. I'd have to check if it was run on those endpoints, but I'd guess it's something else.
Begmypard@reddit
We have not deployed 2026-5 and have been seeing this issue since at least early April (if not March). Only on shared computers, so not having a huge impact, but it's been present and persistent.
Competitive_Run_3920@reddit
I had a similar issue where users would get an incorrect password message and usually rebooting would fix it. Turned out to be a dhcp scope that still had a retired dns server listed so some queries that went to the retired DC IP would fail. Because….its always DNS :)
ConditionSea5973@reddit
Have the same.
If you go to sign in options and select the "show account details such as my email address...." then log out you will see the user name and login name don't match.
It's a pain in the ass and only happened a month or so ago with shared machines.
Slasher1738@reddit
Seeing something similar with computer accounts. My CA server keeps saying wrong username and password when trying to publish templates or the CRL or when other servers are trying to update group policy
rulebreaker@reddit
I had a problem similar to that, and it turned out to be DNS resolution. The server in question had multiple interfaces, and one of them was set to use a DNS server that couldn’t resolve the domain, meaning that the domain controller could not be found.
boofis@reddit
Saw this once when someone’s profile set a UK keyboard and munted the special character when using shift, lol.
Monsterology@reddit
Had this issue for the first time today on a few machines… saving for later.
Leddagger16@reddit
Looks like you already found the workaround, but having them select other user and then signing in usually works. This has been happening randomly for the last few months for us. Haven't had time to dive into the cause yet.
Flabbergasted98@reddit
My gut instinct is that trust in the domain is lost.
There password isn't working because it's been changed recently but the change hasn't pushed to the computer from AD because there is no trust.
Your password is still working because it hasn't been changed recently and is still cached on the device.
The simple test is for you to open a powershell command and run test-computerSecureChannel
If it's false, your trust is lost and this pc isn't communicating correctly with the domain. Time to rejoin.
If it's true, then it's something else entirely and you'll have to keep digging.
patmorgan235@reddit
That's not how this works.
The password is not "pushed" from the DC to the computer.
When a user tries to log in the computer will first try to reach out to the DC to validate the password. If the DC is not available, it will attempt to validate against any cached credentials.
If the computers domain trust is invalid and it has line of site to a DC it will get the error message "The trust relationship between this workstation and the primary domain failed". Not an incorrect password message.
If computer doesn't have line of site it wouldn't know if it's trust is good or not, so it would give an incorrect password message if password enter didn't not match the cached credentials.
Flabbergasted98@reddit
okay so it hasn't been pulled from the DC computer yet.
In my environment the Computer doesn't have line of site during login. It only achieves that after logon when the VPN then enables the connection allowing for visibility to the DC. so I rarely ever see the trust relationship error. it's almos always a an incorrect password message.
3100gutter@reddit (OP)
That was mine too, but I just found another one with the same issue, and it tested True once I logged in.
Didn't have to reset the password on that user, I just logged in successfully, logged out, and they were able to log in fine.
Seems like it's only affecting the last logged in user, but as soon as you try with someone else it fixes itself.
CorgiPotential232@reddit
Are both of your DCs patched? We had some kerberos problems, not exactly like this, that was because one dc was not patched.
PawnF4@reddit
I had the same issue a while back. For me it broken replication between two DCs. If users got the DC other than what they authenticated against last password change authentication failed. Run DC Diag and see what happens.
Begmypard@reddit
We've been dealing with this for a month or so but only on machines that have multiple users logging in/out. It has something to do with local cache tokens, the DCs (all 2022 on our end) shows no issues, passing credentials fine but the local machine still reports incorrect password. Both restarting the computer and having the user login as "other user" and retype their credentials gets it moving again. We believe it was something introduced with a recent update, but it's so infrequent and specific that we are just working around it, for now.
billybob212212@reddit
Same problem here on seemingly random computers. Only happens on multi-user computers. We’ve been working around it by having people hit the “other user” button and re-enter their username with the password.
3100gutter@reddit (OP)
I guess it's nice to hear that other people are having it happen too, I had some updates to apply to those DCs today, so we'll see if that alleviates the issue.
Begmypard@reddit
Someone below linked it, this was also the post I was referencing. Local machine is caching the wrong user, this is some more microslop goodness 😭
https://learn.microsoft.com/en-us/answers/questions/5791246/continuously-need-to-user-other-user-to-login
Begmypard@reddit
Almost positive the issue is with the user caching on the local machine, not DC related. I found a post on Microsoft Learn specifically related to this issue but now I can't dredge it up, when I do I will post it here.
Sebastianelhefe@reddit
I've had it happen when one of the users were using user@domain.com and one was using domain\user. Same workaround, but it was fixed by just having them both use domain\user
DonL314@reddit
Could it be a simple thing like the network speed negotiation not being completed in time?
What happens for the users if you turn on their PC's and wait 10 minutes before trying to log in?
therankin@reddit
I think it just has to do with the cached local account username.
When you re-enter the username instead of using the cached one it fixes the issue.
One of my users was on her desktop which had been turned on for well over 10 minutes before she tried to login/unlock.
greatpebble@reddit
We’ve been having this for weeks, if there’s more than 1 user account cached on the computer then the account is actually trying to authenticate against the other persons account. Person X sees their name so they try to log in, person Y has previously logged in on that computer at one point, person X gets “incorrect password” but looking at logs Person Ys account is trying to log in. Usually a reboot fixes it because it uncaches the other account. When you click log in as another user it will allow you to fully log in but next time the computers locked the same issue is happening.
therankin@reddit
We just saw the issue for the first time this morning too! We had it happed to 3 different people.
The account wasn't locked on the AD side, so I knew I didn't have to reset the pw. Thankfully, I very quickly figured out that if I logged in to a local account and rebooted it worked fine.
I guess something about making the user type their username instead of using a cached account.
If I see the issue again I'll use your EDIT 3 tip.
iiiiijoeyiiiii@reddit
We've been getting this too. On computers with multiple users. Workaround by using Other User. When I check Event Viewer for ID 4625 it's trying to authenticate the wrong account. Like I'm trying to log in as Jeff and it's showing failed logins for Karen...
https://learn.microsoft.com/en-us/answers/questions/5791246/continuously-need-to-user-other-user-to-login
I think it's the same as this issue? But I haven't seen anyone find a fix for it yet
KiefKommando@reddit
Yes I have seen this exact issue occasionally, never found a cause and it comes up so infrequently that we just have the user click other user and retype their username in.
schplatt@reddit
I am assuming you have an adminstrator-account, and they don't?
Could be the machine password. This can be fixed when logging in with a domain admin on the pc. Or generating a new machine password. It doent always say what is wrong when this happens.
M365Expert@reddit
This sounds like a NTDS DB issue and the DC that they are authenticating to is not replicating correctly.
Special-Extreme6112@reddit
Doing any entra syncing or have multiple UPNs?
Ad-1316@reddit
sounds like computer just needs rejoined to domain, as someone said trust issues. Cached credentials, an buy you 30 days, and you may have reached that. Login with an account that doesn't normaly logs in, forces reauth to the domain, to validate.
6tyrrell@reddit
Check the attribute in ad that handles password expiration. We had this issue once and defender changed the password expire date to a date in the past. We were going through a pen test and it thought the login was compromised.
DrockByte@reddit
Maybe a USN mismatch between the domain controllers.
Have you tried running "dcdiag /test:replications" on both DCs to make sure there are no replication issues?
slashinhobo1@reddit
Assuming you can log into their computers try checking their accounts. Maybe the upn was changed or something.
It sounds like apecific accounts unless its growing as we type.
3100gutter@reddit (OP)
Not growing quick, and not that many accounts all things considered thankfully.
Their accounts are fine, they can login using Other User, but if they try to just put in their password on the "last signed in" page, it won't work.
Lonestranger757@reddit
Anyone allowed Company email on a personal device? particularly with exchange....
This happened years ago but people would randomly get locked out, I started checking ActiveSync connections in exchange and I'd go.. you own an iPad? or how about another Computer? and then they'd go yeah! how'd you know?
you put company email on a personal device, and just had to change your password.... turn it off!
Router_RIP@reddit
You gotta look at the event logs on the dc for auth events/ lockout events.
I’ve seen people have this issue where the accounts were getting locked by attackers trying to brute force the accounts over the vpn.
3100gutter@reddit (OP)
No account lockouts, the accounts weren't locked out either.
We have had some random issues that caused repeated account lockouts in the past, but this is unique from those.
DuckDuckBadger@reddit
Sounds like it could be a secure channel issue. It’s established when you login and then the user can login. Do you have multiple domain controllers? Have the April patches been applied? Are there any Kerberos errors on your domain controllers?
3100gutter@reddit (OP)
We do have multiple DC's, and those patches were applied.
Not seeing any Kerberos errors on either of them.