Event ID AD Account login

Glenn Maxwell 12,876 Reputation points
2024-02-10T21:42:25.2833333+00:00

Hi All i have a AD account and i have a requirement to delete it but before deleting it i want to check in event logs whether this account is still being used or not. i.e in any application or on any server it is getting authenticated to active directory or not. Other than these three event ids(security event logs-->4768,4769,4648) any other event id to check. please guide me.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

Accepted answer
  1. Marius Ene 345 Reputation points
    2024-02-10T23:54:53.36+00:00

    Hi Glenn,

    There is also an attribute that was designed for detecting stale accounts that you could query called lastLogontimeStamp. Note that by default it will be 9-14 days behind the current date. This is behaviour is expected and its how it works. It should assist you with detecting stale accounts by using AD attributes instead of events.

    However, another more real-time source, like you've mentioned, is to check the security logs on the domain controllers.

    Here are the key event IDs to look for:

    1. Event ID 4624: This event indicates a successful logon. It logs the account name and the time of the logon. By tracking this event, you can see when and how often the account is being used.
    2. Event ID 4625: This event indicates a failed logon attempt. It can help you identify unauthorized access attempts or issues with the account credentials.
    3. Event ID 4648: This event is logged when a logon attempt is made with explicit credentials, such as when using the RunAs command. It can indicate that the account credentials are being used actively, even if not for interactive logons.
    4. Event ID 4634: This event signals a logoff. While it doesn't directly indicate usage, in conjunction with logon events, it can help paint a picture of the account's activity patterns.
    5. Event ID 4768: This event is generated when a Kerberos authentication ticket (TGT) is requested. It indicates an attempt to access network resources, suggesting the account is in use.
    6. Event ID 4776: This event is generated when a computer attempts to validate the credentials of an account with the domain controller. It's useful for tracking when and how often the account credentials are being verified against the Active Directory.
    7. Event ID 4740: This event indicates an account lockout, which can occur after multiple failed logon attempts. It can be a sign of either incorrect credential usage or a potential attack on the account.

    Also take note of the logon types, described here: https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types

    I hope it helps, good luck.

    Marius Ene - https://mariusene.com/

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Thameur-BOURBITA 36,266 Reputation points Moderator
    2024-02-10T22:41:25.6766667+00:00

    Hi @Glenn Maxwell

    You can also check lastLogontimeStamp and lastLogon attribut and if there is NTLM events for this account:

    4776(S, F): The computer attempted to validate the credentials for an account. You can also try to disable it before delete it. In case of issue your enable it.


    Please don't forget to accept helpful answer

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.