Forum Discussion
Domain users not able to logon with their password event though it has not been changed....
Hi, we have this weird problem where some of the users suddenly can't login to their computer with the password they have used for almost 20 years (yes sorry, bad practise).
When the user reports it I check that I can logon to the computer with my own account (not 20 year old password) which works fine. I check the event log for problems both on the client and the DC and all I see is see which I can relate to the problem is event id 4625 with an error code which means bad password.
I check the AD account and see that pwdLastSet has a date in 2006 (not quite 20 years, but close) and I check that the account is not logged out or expired. Also make sure that the password never expires is enabled, so in my book these are all the checks needed and problem not solved.
I then change the password to the same password that the user has had for almost 20 years and problem solved, but problem source not found.
This has happend to 3-4 users within the last week or two, even a service user with domain admin permissions, only thing I pay note to that they have in common is the pwdLastSet in 2006, but I really can't seem to get my head around this being the issue. Also only other thing I can think of that has changed is that the old DC has been removed a few months ago, and a new 2025 DC has been introduced. promote/demote went without issues and this problem didn't surface before now several weeks after the DC change.
So if anyone has experienced something similar or perhaps can point me in a direction for further troubleshooting please let me know.
Thansk
Thomas
6 Replies
This is good to know, thanks for taking the time to answer :)
I have exactly the same problem since installing April 2026 updates on the Windows 2025 DC. Users that have not changed their password since many years cannot logon with their domain user on Windows 11 workstations.
I have tried many things. The one that has solved the problem was starting "Active Directory Users and Computers" as admin and resetting their password to the same one they have been using or to a different one.
I am curious if you have the 2026-04 CU installed. Because it seems that it might be related to:
https://techcommunity.microsoft.com/discussions/WindowsServer/2026-04-update-breaks-domain-logins/4511399
Did this issue just occur in the last few days? What are your AD domain controllers (Server 2019, 2022, 2025)? If you applied the latest 2026-04 security patch, it changed the default Kerberos authentication encryption from RC4 to DES. This caused an issue for me as I have an original AD that started in 2000 and has been consistently upgraded. The solution for those users that are locked out: enable AES-128 and AES-256 encryption on the user accounts. Make sure that you do this for all current and future user objects.
Sorry, can't find ad way to edit my post, so just adding that "and I check that the account is not logged out or expired....." should of course be "and I check that the account is not locked out or expired....."
If you have installed the April 2026 updates on your domain controllers then that might explain it. RC4 has been removed as a default for "assumed encryption types" (where an account does not specify the encryption types it requires/uses). As the accounts have very old passwords they most likely don't have the newer AES encryption keys which are now required. Resetting a password, even to the same password, should generate new keys. There are event logs on the domain controllers that can confirm if this is what is happening. You can revert the RC4 change by adding a registry setting to your domain controllers but you've only got until July 2026, which is when the change is being enforced.
See these articles for more information.
What is going on with RC4 in Kerberos? | Microsoft Community Hub
https://support.microsoft.com/en-us/topic/how-to-manage-kerberos-kdc-usage-of-rc4-for-service-account-ticket-issuance-changes-related-to-cve-2026-20833-1ebcda33-720a-4da8-93c1-b0496e1910dc
