Robert Wilmoth
asked on
Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?
Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help guys.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......
Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.