We help IT Professionals succeed at work.

Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?

293 Views
Last Modified: 2017-03-15
Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
First you gave to identify the source of the requests internal/external.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......

Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.
Tom CieslikIT Superintendent
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
Mal OsborneAlpha Geek
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Robert WilmothIT Manager
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Robert WilmothIT Manager

Author

Commented:
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Robert WilmothIT Manager

Author

Commented:
Thanks for the help guys.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions