What's Actually Happening
Users cannot authenticate to Active Directory domain. Login attempts fail with various error messages indicating account or authentication issues.
The Error You'll See
Windows login error:
The user name or password is incorrect.Domain join error:
```powershell $ Add-Computer -DomainName mydomain.local
Add-Computer : Computer 'MACHINE' failed to join domain 'mydomain.local' from its current workgroup. The error was: Logon failure: unknown user name or bad password. ```
LDAP bind error:
```bash $ ldapsearch -H ldap://dc.mydomain.local -D "user@mydomain.local" -W
ldap_bind: Invalid credentials (49) ```
Kerberos error:
```bash $ kinit user@MYDOMAIN.LOCAL
kinit: Password incorrect while getting initial credentials ```
Why This Happens
- 1.Account disabled - User account disabled in AD
- 2.Password expired - Password beyond expiration date
- 3.Account locked - Too many failed login attempts
- 4.Wrong credentials - Incorrect username or password
- 5.Domain unreachable - DC not accessible
- 6.Time synchronization - Clock skew affecting Kerberos
Step 1: Check User Account Status
```powershell # Check user account: Get-ADUser -Identity username -Properties Enabled, LockedOut, PasswordExpired, AccountExpirationDate
# Output shows: # Enabled: True/False # LockedOut: True/False # PasswordExpired: True/False
# Check account details: Get-ADUser username -Properties *
# Check if account exists: Get-ADUser -Filter {SamAccountName -eq "username"}
# Check account disabled: Get-ADUser username | Select-Object Enabled
# Enable account: Enable-ADAccount -Identity username
# Check account expiration: Get-ADUser username -Properties AccountExpirationDate
# Clear expiration: Set-ADUser username -AccountExpirationDate 0 ```
Step 2: Check Account Lockout
```powershell # Check lockout status: Get-ADUser username -Properties LockedOut
# Unlock account: Unlock-ADAccount -Identity username
# Check lockout history: Get-ADUser username -Properties lockoutTime, badPwdCount
# Check bad password count: Get-ADUser username -Properties badPwdCount
# Reset bad password count: Clear-ADAccountExpiration -Identity username
# Check lockout policy: Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold, LockoutDuration
# Check lockout location: # Find which DC locked account: Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed
# Search locked accounts: Get-ADUser -Filter {LockedOut -eq $true} ```
Step 3: Check Password Status
```powershell # Check password expired: Get-ADUser username -Properties PasswordExpired
# Check password last set: Get-ADUser username -Properties PasswordLastSet
# Check password age: $pwdLastSet = (Get-ADUser username -Properties PasswordLastSet).PasswordLastSet $pwdAge = (Get-Date) - $pwdLastSet $pwdAge.Days
# Check max password age: Get-ADDefaultDomainPasswordPolicy | Select-Object MaxPasswordAge
# Reset password: Set-ADAccountPassword -Identity username -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword123" -Force) -Reset
# Force password change at next logon: Set-ADUser username -ChangePasswordAtLogon $true
# Set password never expires: Set-ADUser username -PasswordNeverExpires $true
# Check fine-grained password policy: Get-ADFineGrainedPasswordPolicy -Filter {Subject -eq "username"} ```
Step 4: Verify Domain Connectivity
```powershell # Check domain controller: Get-ADDomainController -Discover
# Check DC reachability: Test-Connection -ComputerName dc.mydomain.local
# Check LDAP port: Test-NetConnection -ComputerName dc.mydomain.local -Port 389
# Check Kerberos port: Test-NetConnection -ComputerName dc.mydomain.local -Port 88
# Check DNS resolution: Resolve-DnsName dc.mydomain.local
# Check SRV records: Resolve-DnsName -Type SRV -Name "_ldap._tcp.mydomain.local"
# Check domain trust: Test-ComputerSecureChannel -Domain mydomain.local
# Repair trust: Test-ComputerSecureChannel -Domain mydomain.local -Repair
# Check domain join status: Get-ComputerInfo | Select-Object CsDomain, CsPartOfDomain ```
Step 5: Check Kerberos Authentication
```powershell # Check Kerberos tickets: klist
# Check for valid TGT: klist | grep krbtgt
# Purge tickets: klist purge
# Get new TGT: # Login again or: kinit user@MYDOMAIN.LOCAL
# Check Kerberos errors: # Event log for Kerberos: Get-WinEvent -LogName System | Where-Object {$_.Message -like "*Kerberos*"}
# Check SPN registration: setspn -L username
# Check time sync (critical for Kerberos): # Max skew: 5 minutes
w32tm /query /source w32tm /query /status
# Force time sync: w32tm /resync
# Check DC time: w32tm /query /computer:dc.mydomain.local /source ```
Step 6: Check DNS Configuration
```powershell # Check DNS servers: Get-DnsClientServerAddress -AddressFamily IPv4
# Should point to DC DNS!
# Set DNS to DC: Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "10.0.0.1"
# Check DNS suffix: Get-DnsClientGlobalSetting | Select-Object SuffixSearchList
# Set DNS suffix: Set-DnsClientGlobalSetting -SuffixSearchList "mydomain.local"
# Check domain DNS resolution: Resolve-DnsName mydomain.local
# Check DC registration: Resolve-DnsName dc.mydomain.local
# Check LDAP SRV: Resolve-DnsName -Type SRV -Name "_ldap._tcp.dc._msdcs.mydomain.local"
# Check Kerberos SRV: Resolve-DnsName -Type SRV -Name "_kerberos._tcp.dc._msdcs.mydomain.local" ```
Step 7: Check Event Logs
```powershell # Check Security log for login failures: Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625} | Select-Object -First 10
# Common Event IDs: # 4625 - Logon failure # 4740 - Account locked # 4771 - Kerberos pre-auth failed # 4776 - Credential validation failed
# Check System log: Get-WinEvent -LogName System | Where-Object {$_.Id -eq 577} | Select-Object -First 10
# Check failure reason: $event = Get-WinEvent -LogName Security -MaxEvents 1 | Where-Object {$_.Id -eq 4625} $event.Properties[8].Value # Failure reason
# Common failure codes: # 0xC000006A - Bad password # 0xC0000234 - Account locked # 0xC0000071 - Password expired # 0xC0000072 - Account disabled
# Check AD logs on DC: Get-WinEvent -LogName "Directory Service" ```
Step 8: Test LDAP Authentication
```powershell # Test LDAP connection: $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAP://dc.mydomain.local", "username", "password") $ldap.Path
# Check if bind succeeds: try { $ldap.RefreshCache() Write-Host "LDAP bind successful" } catch { Write-Host "LDAP bind failed: $($_.Exception.Message)" }
# Or using .NET: $cred = New-Object System.Management.Automation.PSCredential("username", (ConvertTo-SecureString "password" -AsPlainText -Force)) $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAP://dc.mydomain.local", $cred.UserName, $cred.GetNetworkCredential().Password)
# Search user in LDAP: $searcher = New-Object System.DirectoryServices.DirectorySearcher($ldap) $searcher.Filter = "(sAMAccountName=username)" $result = $searcher.FindOne() ```
Step 9: Reset and Unlock Account
```powershell # Full account reset: Unlock-ADAccount -Identity username
Enable-ADAccount -Identity username
Set-ADAccountPassword -Identity username -NewPassword (ConvertTo-SecureString -AsPlainText "TempPassword123" -Force) -Reset
Set-ADUser username -PasswordNeverExpires $false Set-ADUser username -ChangePasswordAtLogon $true
# Clear account expiration: Set-ADUser username -AccountExpirationDate 0
# Verify account: Get-ADUser username -Properties Enabled, LockedOut, PasswordExpired, AccountExpirationDate
# Test login: # Try logging in with new password ```
Step 10: AD Authentication Verification Script
```powershell # Create verification script: cat << 'EOF' > C:\Scripts\check_ad_auth.ps1 param($username)
Write-Host "=== User Account Status ===" Get-ADUser $username -Properties Enabled, LockedOut, PasswordExpired, PasswordLastSet, AccountExpirationDate | Format-List
Write-Host "" Write-Host "=== Password Policy ===" Get-ADDefaultDomainPasswordPolicy | Select-Object MaxPasswordAge, MinPasswordLength, LockoutThreshold, LockoutDuration | Format-Table
Write-Host "" Write-Host "=== Domain Controller ===" Get-ADDomainController -Discover | Select-Object Name, IPAddress | Format-Table
Write-Host "" Write-Host "=== Domain Connectivity ===" Test-Connection -ComputerName (Get-ADDomainController).Name -Count 1 | Format-Table
Write-Host "" Write-Host "=== Kerberos Tickets ===" klist
Write-Host "" Write-Host "=== Time Sync ===" w32tm /query /status | Select-String "Last Successful Sync"
Write-Host "" Write-Host "=== Recent Login Failures ===" Get-WinEvent -LogName Security -MaxEvents 10 | Where-Object {$_.Id -eq 4625 -and $_.Properties[5].Value -eq $username} | Format-Table TimeCreated, Id, Message
Write-Host "" Write-Host "=== Account Groups ===" Get-ADUser $username -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Format-Table EOF
# Run: powershell -File C:\Scripts\check_ad_auth.ps1 -username myuser
# Quick check: Get-ADUser username -Properties Enabled, LockedOut, PasswordExpired ```
AD Authentication Checklist
| Check | Command | Expected |
|---|---|---|
| Account enabled | Get-ADUser Enabled | True |
| Account not locked | Get-ADUser LockedOut | False |
| Password not expired | Get-ADUser PasswordExpired | False |
| DC reachable | Test-Connection | Responds |
| DNS correct | Resolve-DnsName DC | Resolves |
| Time sync | w32tm /query | Within 5 min |
| Kerberos ticket | klist | Valid TGT |
Verify the Fix
```powershell # After fixing authentication
# 1. Check account Get-ADUser username -Properties Enabled, LockedOut, PasswordExpired // All OK
# 2. Test login # Login with new password // Successful
# 3. Check Kerberos klist // Valid TGT
# 4. Test LDAP ldapsearch -D "username@domain" -W // Bind successful
# 5. Check domain Test-ComputerSecureChannel // True
# 6. Monitor for issues Get-WinEvent -LogName Security -MaxEvents 5 | Where-Object {$_.Id -eq 4624} // Successful logons ```
Related Issues
- [Fix Active Directory Domain Trust Failed](/articles/fix-active-directory-domain-trust-failed)
- [Fix Active Directory DNS Resolution Failed](/articles/fix-active-directory-dns-resolution-failed)
- [Fix Windows DNS Resolution Failed](/articles/fix-windows-dns-resolution-failed)