Why is a user who's account has been disabled and is no longer at the company generating event 4768 in Windows security log?

Robert Wilmoth
Robert Wilmoth used Ask the Experts™
on
Daily I get a couple hundred event 4768 audit failures on my DC from a user who is no longer here and who's account I have disabled. The ticket options are 0x40810010 and result code is 0x12 service ID is Null which is consistent with the user account being disabled. The account name is the user name and the PC name since they were the same. The PC has since been re-imaged. The client address is ::ffff10.0.1.236 (my exchange server) I just don't understand why I'm seeing these errors. Any ideas would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
First you gave to identify the source of the requests internal/external.
See if the users mailbox is still active and attempts to process a filter to store an attachment ......

Look through your message trace to see if ....
Without knowing the source one can only guess that a device the users used still has references to the old account that is still running/accessing resources.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Who was this user ? Is he was your domain admin ?
If yes then maybe he did setup some program services running under hist account name, or maybe he did setup some rules in Exchange.
If you have Exchange, or Office365 in AD integrated mode, AND this user has a cellphone or home machine set up to receive email, you will see this as the Exchange machine passes and tries to authenticate users on a DC. Also, browsing via OWA, or trying to log into a VPN might do this.

Could also be a PC somewhere, or a terminal server that this user was left logged into.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Robert WilmothIT Manager
Commented:
Thanks for all the suggestions guys. He did have a cell phone which I removed membership from Exchange then deleted the email account. The user was not a domain admin, just a regular user so no services would be running under his name. No other machine is logged in under his name. I suppose he could have tried to log into OWA but it is highly unlikely. In double checking his disabled account I realized I had not removed him from our VPN users group as I usually do, could this have caused the failed logins even though the account was disabled? If so I still don't understand the association with my Exchange server.
Distinguished Expert 2017
Commented:
any resource the user had access to and configured on devices, etc. would as long as they are in place could continue to attempt to access resources they formally were authorized for.

As long as the account is disable the access/authorization attempts will be denied.
This is the pitfall of external access of user devices. Often the longest time deals with how long it takes the upgrade cycle for the user to upgrade their device. The other that prolongs it is often the upgrades often include the transfer all their pre-configured email etc. and thus possibly reactivate a prior disabled .........
Robert WilmothIT Manager

Author

Commented:
Ok I think I get this now. Could it also be possible that since I did not remove this user from groups before disabling that what I'm seeing could be attributed to email groups the user belonged to?
Distinguished Expert 2017
Commented:
No. Group membership provides context on authorization, nothing on your side can prevent a user's device from submitting credentials for authentication.
Re VPN, unless you use individualized VPN where each user has their own specific VPN configuration, if your VPN relies on certificate, make sure to revoke the user's certificate this will prevent the initial phases of VPN establishment part. Currently, the VPN is partially established and then the user has to authenticate to be authorized potentially (disabled, the authorization/authentication fails) but the limited VPN connection with no other access is initially setup, no access to resources.....
Robert WilmothIT Manager

Author

Commented:
Thanks for the help guys.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial