windows server 2019 local user getting logoff on random time

Question

I have a very strange problem, and after having spent so many hours, still could not find solution.

I have windows server 2019 on which one application is running and it is using local user administrator account, however this account is getting logged off automatically with event id 4647 (user-initiated logoff) and as a result application also stops working, no one is doing this interactive log off. I have many gops applied based on customized CIS Benchmarking, but I have gone through all settings one by one, and I don't think any setting is doing this action.

Can you please suggest what's the cause of this?

Answer 1

Hello Shafiq, Majid,

Thank you for posting in our Q&A forum.

1.The main difference with “4634(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.

You can check Account Name under Subject, who logoff the local administrator account.

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647

2.Also, is your machine in one domain or not? If so, when you change aonther local account, check if you have the same issue.

3.If your machine is one domain, you can try to remove it from the domain and check if there is still such issue.

4.Check if there is any script or schedule that does this thing.

Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hi Daisy,

Thanks for your message. yes, trying to narrow down the root cause, will use your suggestions.

Answer 3

I am seeing the similar issue in many our Server. I believe it started after we installed Azure Connected Machine Agent

Not sure, if your is also same case