A user activity is detected from a disabled account in Active directory

Question

I have disabled an user in my Active Directory (terminated the account). However, I am still getting the log that Event IDs 5379 (credential manager credentials were read.), 4673 (a privileged service was called.), 4656 (a handle to an object was requested.)

And the processes called are:

gfxdownloadwrapper.exe  4673
lsbupdater.exe  4673
cleanmgr.exe    4673
quickup.exe 4673
searchui.exe    4673

What could be the reason?? The user is disabled then how are these events getting logged with Account name: disabled_user.name

Disabling an account in AD doesn't mean an account cannot logon an endpoint due to cached credentials. — Greg Askew, Feb 03 '22 at 11:46

BE77Y · Accepted Answer · 2022-02-09T15:31:26.493

At a glance, those mostly appear to be regularly scheduled tasks from a Windows client machine, I'm guessing the laptop/desktop assigned to the user whose account has been terminated.

I imagine the account may not have been disabled/removed from the machine in question, so some scheduled tasks associated with the account are still being executed on the machine (e.g. search indexing, disk cleanup, etc).

My advice would be to check whether the account is active on the machine and if possible, disable and/or remove it.

A user activity is detected from a disabled account in Active directory

1 Answers1