Link to home
Start Free TrialLog in
Avatar of Robert Wilmoth
Robert WilmothFlag for United States of America

asked on

Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?

Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Avatar of arnold
arnold
Flag of United States of America image

First you gave to identify the source of the requests internal/external.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......

Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
SOLUTION
Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Robert Wilmoth

ASKER

Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the help guys.