0X0000052E Logon Failure: Unknown User or Bad Password Fix
This error means Windows can't match the username or password you entered. It's almost always a typo, locked account, or domain trust issue.
Quick answer for the impatient
Hold Shift while clicking Restart to force a reboot into Safe Mode. Log in as Administrator (built-in account). Check if your user account is locked out via Local Users and Groups (lusrmgr.msc) - unlock it. Then reset your password from there.
What's actually going on here
This error code (0X0000052E) is Windows's way of saying "I can't find that user, or the password doesn't match." It's not some mysterious network glitch — it's almost always one of three things: you mistyped something, your account got locked from too many bad attempts, or the domain controller (if you're on a domain) can't verify your credentials because of a time sync or trust issue. I've seen this a thousand times over 14 years, and 80% of the time it's user error. The other 10% is account lockout policies, and the last 10% is NTLM or Kerberos authentication flaking out.
Common scenario: You're logging into a Windows 10 or 11 machine that's part of a domain. You've been typing your password for 15 minutes and it keeps failing. Or you're on a workgroup PC and you get this error when trying to access a shared folder on another machine.
Step-by-step fixes (in order of likelihood)
1. Check your keyboard layout and caps lock
You'd be surprised how often this is it. If you're using a non-US keyboard or have sticky keys, the password you think you're typing isn't what the system sees. Press Caps Lock once to turn it off. If you have a NumLock key, make sure it's on if your password includes numbers.
2. Verify the username
On a local machine, the username is case-insensitive but spelling counts. On a domain, it's DOMAIN\username or username@domain.com. Try both formats if you're not sure. Common mistake: using the email prefix instead of the SAM account name.
3. Check if the account is locked out
Open a Command Prompt as Administrator (you can do this from the login screen by clicking the Ease of Access icon — seriously, there's a trick: click it, then type cmd into the search box that appears). Then run:
net user %USERNAME% /domainIf you see "Account active" = No, or it says lockout time, you're locked out. Run:
net user %USERNAME% /ACTIVE:YESThen unlock with:
net user %USERNAME% /LOGONPASSWORDCHG:NOThis clears the lockout flag.
4. Reset the password via another admin account
If you have another local admin account (like the built-in Administrator), log into that, then open Computer Management > Local Users and Groups > Users. Right-click your account, set a new password. Works every time on non-domain machines.
5. Fix time sync (domain machines only)
If your PC's clock is more than 5 minutes off from the domain controller, Kerberos authentication fails with this exact error. At the login screen, click the clock and set it manually, or from Safe Mode run:
w32tm /resyncIf that fails, stop and restart the service:
net stop w32time
net start w32time
w32tm /resyncAlternative fixes if the main ones don't work
Check network connectivity to the domain controller
If you're on a domain but can't ping the DC, try nslookup domain.com. No result means DNS is broken. Set your DNS server manually to the DC's IP in IPv4 settings.
Clear cached credentials
Sometimes Windows caches a bad password. From an admin command prompt:
rundll32.exe keymgr.dll, KRShowKeyMgrDelete any stored credentials for the target server or domain.
Disable NTLM fallback (advanced)
If you're sure the password is right but it still fails, you might have a mismatched NTLM authentication policy. This is rare but happens on hardened systems. Check Group Policy: Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers — set to "Deny all" or "Audit all" can cause this. Change it back to "Allow all" if you're locked out.
Prevention tips
- Use a password manager. Stop typing passwords manually. Bitwarden or KeePass — pick one.
- Set account lockout threshold higher than 3. Default Windows domain policy locks after 5 bad attempts. Bump it to 10 if your environment allows. Less support calls.
- Enable password writeback if you're using Azure AD or on-prem AD. Let users reset their own passwords from the login screen.
- Check your clock weekly. I've fixed more Kerberos issues with a simple time sync than any registry hack.
That's it. 95% of the time, one of these steps will get you back in. If not, you've got a deeper domain trust issue or a corrupt user profile — but that's a different conversation.
Was this solution helpful?