7,023 questions
Hello,
this is probably a service or scheduled task configured to run under that user credentials.
Active Directory failed login attemps
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 52%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
bbennett
0
Reputation points
I have a program that sends me an email with all of the login attempts be it a successful attempt or a failed login. I am seeing where after a user is able to authenticate against one of the domain controllers and logs into their workstation. I am seeing a failed login from a former employee's admin account. I am having a hard time tracking down what is causing this to happen.
Please help I am pulling my hair out.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2023-02-02T23:25:30.79+00:00 Hi @BBennett
In the event check the IP of source machine. If you are able to identify this machine , check if there is mapped drive, scheduled task, windows service, script still using the admin account.
Please don't forget to mark helpful answer as accepted
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2023-02-03T17:12:22.9233333+00:00 Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.
To track down the cause of the failed login attempts from a former employee's admin account, you can try the following steps:
- Check Event Viewer on the domain controller and workstation where the login attempts are recorded to see if there are any specific error messages or codes related to the failed login attempts.
- Monitor the security logs of the domain controllers and workstations for any suspicious activity.
- Check if there are any scheduled tasks or scripts that are running under the former employee's admin account.
- Verify if there are any devices or systems that may be authenticating with the former employee's admin account credentials, such as automated backup systems or network printers.
- If the issue persists, you can use network monitoring tools to track the source of the failed login attempts.
- If you are still unable to find the cause of the failed login attempts, you may need to change the password for the former employee's admin account to prevent further unauthorized access.
It's important to take the necessary steps to secure your network and prevent unauthorized access. It is recommended to engage the services of an experienced IT security professional if you are unable to resolve the issue.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.