Hi Glenn,
There is also an attribute that was designed for detecting stale accounts that you could query called lastLogontimeStamp. Note that by default it will be 9-14 days behind the current date. This is behaviour is expected and its how it works. It should assist you with detecting stale accounts by using AD attributes instead of events.
However, another more real-time source, like you've mentioned, is to check the security logs on the domain controllers.
Here are the key event IDs to look for:
- Event ID 4624: This event indicates a successful logon. It logs the account name and the time of the logon. By tracking this event, you can see when and how often the account is being used.
- Event ID 4625: This event indicates a failed logon attempt. It can help you identify unauthorized access attempts or issues with the account credentials.
- Event ID 4648: This event is logged when a logon attempt is made with explicit credentials, such as when using the RunAs command. It can indicate that the account credentials are being used actively, even if not for interactive logons.
- Event ID 4634: This event signals a logoff. While it doesn't directly indicate usage, in conjunction with logon events, it can help paint a picture of the account's activity patterns.
- Event ID 4768: This event is generated when a Kerberos authentication ticket (TGT) is requested. It indicates an attempt to access network resources, suggesting the account is in use.
- Event ID 4776: This event is generated when a computer attempts to validate the credentials of an account with the domain controller. It's useful for tracking when and how often the account credentials are being verified against the Active Directory.
- Event ID 4740: This event indicates an account lockout, which can occur after multiple failed logon attempts. It can be a sign of either incorrect credential usage or a potential attack on the account.
Also take note of the logon types, described here: https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
I hope it helps, good luck.
Marius Ene - https://mariusene.com/