Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
Event id 4624
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 19%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZS%3C/text%3E%3C/svg%3E)
ZEESHAN SAYYAD
1
Reputation point
We are seeing some DCs in the environment showing a successful logon event while an account is locked out and need to understand why..
user: jjones
In the attached logs, there are 4771 events for kerberos pre-auth failures up until 3/28/22 1:37:05.000 PM, when the account is locked out and a 4740 event is generated from DC eqrnts08.
Subsequent logon attempts result in additional 4771 or 4769 audit failure events, but at 3/28/22 1:47:58.000 PM, before the account is unlocked, DC eqrnts11 issues a 4624 logon success.
The account lockout duration expires at 2:37PM, when a "actual" 4624 is then issued and the account is logged on.