TL;DR

If Windows 11 24H2 (and 25H2) machines are randomly locking out AD accounts, and AD swears the lockout is coming from the machine while the machine swears nothing failed to log in. It’s Credential Manager quietly throwing your cached Exchange mailbox password at your domain controller. No official Microsoft fix exists as of this writing. Skip to Fixes if you just want it stopped.

Symptoms

  • Random lockouts of user AD accounts, only on Windows 11 24H2 and newer.
  • AD shows the lockout coming from the user’s machine. The machine itself shows no failed logins, but Credential Manager logs authentication failures.
  • The issue survives clearing Credential Manager, wiping and reinstalling Windows, and follows the user to literally any other machine they log into as long as that machine is also 24H2+. Roll a user back to Windows 10 or 23H2 and it disappears immediately.

Cause

Starting in 24H2, Microsoft leaned harder into cross service SSO, and Credential Manager got more aggressive about it: it now assumes your Exchange/email login, your M365 login, and your local AD login are all the same account, and starts trying cached credentials against whatever it can reach.

Specifically: if the AD username matches the mailbox login (even just the part before the @), Credential Manager will submit the cached Exchange/mailbox password against your local domain controller using only the pre-@ portion of the UPN. It does this even when the Exchange server has nothing to do with the local AD, and even when the email domain doesn’t match the AD domain at all.

If the AD password and the Exchange password aren’t identical, every retry is a failed logon against your DC. With any account lockout policy in place, that’s a lockout loop that regenerates itself every time Outlook (or anything else holding that cached cred) tries to reauth.

This isn’t a one-off report it’s showing up independently across Microsoft Q&A threads, Spiceworks, and MSP/sysadmin forums, all describing the identical mechanism. As of now, it is not listed on Microsoft’s official Windows 11 24H2 known-issues page, and Microsoft support reps responding in those threads have said outright there’s no official fix just the community workarounds below.

Fixes

  1. Make the Exchange password match the AD password. Fastest fix. Doesn’t scale past a handful of users, and breaks again the next time either password rotates.
  2. Change the AD username so it no longer matches the mailbox login. Better version of this: instead of just renaming, set a distinct UPN suffix matching the mail domain so the full UPN diverges from the mailbox login, not just the friendly name. Some admins report a plain rename alone drifts back into the problem over time the UPN suffix version is more durable.
  3. Disable account lockout policy for impacted users.
  4. Restrict affected users to OWA only, so credentials never land in Credential Manager in the first place. I’m sure your users will love this.
  5. Roll back to Windows 11 23H2 (or stay on Windows 10).

Others hitting this

This is happening across multiple unrelated environments, not just one weird setup: