Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?
Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Last Comment
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for the help guys.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
See if the users mailbox is still active and attempts to process a filter to store an attachment ......
Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.