Event id 4624

ZEESHAN SAYYAD 1 Reputation point
2022-04-13T17:51:28.187+00:00

We are seeing some DCs in the environment showing a successful logon event while an account is locked out and need to understand why..
user: jjones
In the attached logs, there are 4771 events for kerberos pre-auth failures up until 3/28/22 1:37:05.000 PM, when the account is locked out and a 4740 event is generated from DC eqrnts08.
Subsequent logon attempts result in additional 4771 or 4769 audit failure events, but at 3/28/22 1:47:58.000 PM, before the account is unlocked, DC eqrnts11 issues a 4624 logon success.
The account lockout duration expires at 2:37PM, when a "actual" 4624 is then issued and the account is logged on.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,060 questions
0 comments No comments
{count} votes