Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?

Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Robert WilmothIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
First you gave to identify the source of the requests internal/external.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......

Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.
0
Tom CieslikIT EngineerCommented:
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
0
Mal OsborneAlpha GeekCommented:
If you have Exchange, or Office365 in AD integrated mode, AND this user has a cellphone or home machine set up to receive email, you will see this as the Exchange machine passes and tries to authenticate users on a DC. Also, browsing via OWA, or trying to log into a VPN might do this.

Could also be a PC somewhere, or a terminal server that this user was left logged into.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Robert WilmothIT ManagerAuthor Commented:
Thanks for all the suggestions guys. He did have a cell phone which I removed membership from Exchange then deleted the email account. The user was not a domain admin, just a regular user so no services would be running under his name. No other machine is logged in under his name. I suppose he could have tried to log into OWA but it is highly unlikely. In double checking his disabled account I realized I had not removed him from our VPN users group as I usually do, could this have caused the failed logins even though the account was disabled? If so I still don't understand the association with my Exchange server.
0
arnoldCommented:
any resource the user had access to and configured on devices, etc. would as long as they are in place could continue to attempt to access resources they formally were authorized for.

As long as the account is disable the access/authorization attempts will be denied.
This is the pitfall of external access of user devices. Often the longest time deals with how long it takes the upgrade cycle for the user to upgrade their device. The other that prolongs it is often the upgrades often include the transfer all their pre-configured email etc. and thus possibly reactivate a prior disabled .........
0
Robert WilmothIT ManagerAuthor Commented:
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
0
arnoldCommented:
No. Group membership provides context on authorization, nothing on your side can prevent a user's device from submitting credentials for authentication.
Re VPN, unless you use individualized VPN where each user has their own specific VPN configuration, if your VPN relies on certificate, make sure to revoke the user's certificate this will prevent the initial phases of VPN establishment part. Currently, the VPN is partially established and then the user has to authenticate to be authorized potentially (disabled, the authorization/authentication fails) but the limited VPN connection with no other access is initially setup, no access to resources.....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert WilmothIT ManagerAuthor Commented:
Thanks for the help guys.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PC

From novice to tech pro — start learning today.