Event id 4624
We are seeing some DCs in the environment showing a successful logon event while an account is locked out and need to understand why..
user: jjones
In the attached logs, there are 4771 events for kerberos pre-auth failures up until 3/28/22 1:37:05.000 PM, when the account is locked out and a 4740 event is generated from DC eqrnts08.
Subsequent logon attempts result in additional 4771 or 4769 audit failure events, but at 3/28/22 1:47:58.000 PM, before the account is unlocked, DC eqrnts11 issues a 4624 logon success.
The account lockout duration expires at 2:37PM, when a "actual" 4624 is then issued and the account is logged on.