Avatar of Robert Wilmoth
Robert Wilmoth
Flag for United States of America asked on

Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?

Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
PCSecurityActive DirectoryExchange

Avatar of undefined
Last Comment
Robert Wilmoth

8/22/2022 - Mon
arnold

First you gave to identify the source of the requests internal/external.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......

Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.
Tom Cieslik

Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
SOLUTION
Mal Osborne

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Robert Wilmoth

ASKER
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Robert Wilmoth

ASKER
Thanks for the help guys.