How to find what is generating Event 4768
I'm getting a constant flow of these Event 4768 on one particular workstation. They show on the two DC's. We've checked the Credential Manager and didn't find the user's credentials. The username is for a previous employee gone for months. He was an IT tech and this was his elevated permissions user logon. I didn't find any services running under that username. I only found two references in the Registry with that username that were listing a path to that user's (now deleted) profile, for "last used".
How can I track down what is causing this. The user is deleted from AD and the profile is gone from the workstation and the server.
Event Code 16
User Name <previous-user-disabled>
Failure Code 0x6
Logon Service krbtgt/IW
Logon Time Oct 13,2022 09:51:32 PM
SID S-1-0-0
Remarks A Kerberos authentication ticket (TGT) was requested.
Event Number 4768
Domain Controller <DomainController>.domain.com
Event Type Failure
Client IP Address <client-IP-address>
Domain domain.com
Failure Type Bad user name
Client Host Name <workstation-hostname>.domain.com