How to find what is generating Event 4768

Fandango1985 1 Reputation point
2022-10-15T04:28:54.887+00:00

I'm getting a constant flow of these Event 4768 on one particular workstation. They show on the two DC's. We've checked the Credential Manager and didn't find the user's credentials. The username is for a previous employee gone for months. He was an IT tech and this was his elevated permissions user logon. I didn't find any services running under that username. I only found two references in the Registry with that username that were listing a path to that user's (now deleted) profile, for "last used".
How can I track down what is causing this. The user is deleted from AD and the profile is gone from the workstation and the server.

Event Code 16
User Name <previous-user-disabled>
Failure Code 0x6
Logon Service krbtgt/IW
Logon Time Oct 13,2022 09:51:32 PM
SID S-1-0-0
Remarks A Kerberos authentication ticket (TGT) was requested.
Event Number 4768
Domain Controller <DomainController>.domain.com
Event Type Failure
Client IP Address <client-IP-address>
Domain domain.com
Failure Type Bad user name
Client Host Name <workstation-hostname>.domain.com

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,859 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.