Join Log in
Score:0
avatar Server

A user activity is detected from a disabled account in Active directory

au flag
raal

I have disabled an user in my Active Directory (terminated the account). However, I am still getting the log that Event IDs 5379 (credential manager credentials were read.), 4673 (a privileged service was called.), 4656 (a handle to an object was requested.)

And the processes called are:

gfxdownloadwrapper.exe  4673
lsbupdater.exe  4673
cleanmgr.exe    4673
quickup.exe 4673
searchui.exe    4673

What could be the reason?? The user is disabled then how are these events getting logged with Account name: disabled_user.name

81
0 + 0
cn flag
Greg Askew
Disabling an account in AD doesn't mean an account cannot logon an endpoint due to cached credentials.
1
Reply
Score:0
avatar Server
us flag
BE77Y

At a glance, those mostly appear to be regularly scheduled tasks from a Windows client machine, I'm guessing the laptop/desktop assigned to the user whose account has been terminated.

I imagine the account may not have been disabled/removed from the machine in question, so some scheduled tasks associated with the account are still being executed on the machine (e.g. search indexing, disk cleanup, etc).

My advice would be to check whether the account is active on the machine and if possible, disable and/or remove it.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.