4
Windows 11 24H2 could cause a huge trouble in some scenarios
Idea shared by Daniel - 2/18/2025 at 2:45 AM
Proposed
Hello,

I encountered a strange problem with some user working with Outlook and upgrading to W11 24H2, while googling I found this tread https://community.spiceworks.com/t/win11-24h2-update-outlook-client-exchange-account-repetitive-ad-account-locked/1130088/31?page=2

So it seems that with w11 24h2 if the ad user.name is the same as in the mail account (say ad account addomain.local\user.name and email user.name@domain.com) it ignores that the domains are different and hits the stored mail account password against your domain controllers (if they are different, and you have account lockout configured → your AD account will be locked out).
So for now the only bypasses are :
1. same password for ad and mail
2. disable account lockout
3. change the username on one of the systems

Smartermail cloud help us by allowing us to have a different username (for login) than emailadress@domain.
(Perhaps a solution like ignoring . in the username login (user.name@domain.com = ok user..name@domain.com = ok)

1 Reply

Reply to Thread
0
I ran into this too. The workaround I ended up with is making an extra dummy AD account for each affected user, and on the dummy account I set the UPN suffix to the same as the email domain so the full UPN ("User logon name" text box plus dropdown box on the Account tab in the user's properties in Active Directory Users and Computers) is the same as the user's email address. The user's real AD account needs a UPN suffix that's different from the email domain (in our case the UPN suffix for the users' real AD accounts is similar to something.example.com and the email domain is example.com).

Then I made up a pre-Windows 2000 logon name (I just prefixed their real username with an e, for email). I made up a random long password for it and disabled the account ("Account is disabled" in the "Account options" box). The pre-Windows 2000 logon name can be pretty much anything that isn't otherwise in use, doesn't matter much since nobody will actually be using it, but you have to enter something.

It looks like this dummy account will be attempted instead of the real one (I guess since it is an exact match) and the real AD account doesn't get bothered anymore. Kind of messy but it seems to get the job done.

You might have to add the UPN suffix that matches the email domain in Active Directory Domains and Trusts -> Right click Active Directory Domains and Trusts -> Properties -> UPN Suffixes, if you don't already have it available in the user properties in Active Directory Users and Computers.

Reply to Thread