User Account getting disabled in Azure
-
@Obsolesce said in User Account getting disabled in Azure:
would cause an account to be disabled on AAD.
AD audit logs don't show the account as getting disabled at all, the only entry I see there is when I manually disabled the account today to try to get a log at 2:03:56PM
Account was enabled at 7:40:55 PM
Only after the account was enabled in AD, the sync once again properly enabled the account in Azure but something disabled it again minutes after and the cycle of enabling and disabling started again.
Currently the account is still showing as enabled in AD and no further security audit logs are shown accept the above screenshots.
-
Can you show the AD Connect SYnc logs at both those times?
-
Can you do a dump of all AD properties of the user from PowerShell?
Get-ADUser -Identity "user" -Properties *
... redacting confidential stuff first of course before posting it. -
Did a new user get created with a duplicate email address? Had that happen once that messed things up.
-
@Obsolesce here is the info
AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 132526283882223437 badPwdCount : 0 c : US CannotChangePassword : False CanonicalName : DomainName.local/SITE - Location/Location Users/USER LASTNAME Certificates : {} City : Location CN : USER LASTNAME co : United States codePage : 0 Company : CompoundIdentitySupported : {False} Country : US countryCode : 840 Created : 6/29/2020 12:05:53 PM createTimeStamp : 6/29/2020 12:05:53 PM Deleted : Department : Description : FD 8/11/2020-Enabled 11/12/2020 DisplayName : USER LASTNAME DistinguishedName : CN=USER LASTNAME,OU=Location Users,OU=SITE - Location,DC=DomainName,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {12/18/2020 1:19:34 PM, 12/18/2020 1:17:50 PM, 12/18/2020 1:10:57 PM, 11/12/2020 2:31:00 PM...} EmailAddress : [email protected] EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : USER HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {None} l : Location LastBadPasswordAttempt : 12/16/2020 3:39:48 PM LastKnownParent : lastLogoff : 0 lastLogon : 132526894973219910 LastLogonDate : 12/14/2020 8:01:11 AM lastLogonTimestamp : 132524280715790975 LockedOut : False lockoutTime : 0 logonCount : 69 LogonWorkstations : mail : [email protected] Manager : MemberOf : {REDACTED} MNSLogonAccount : False MobilePhone : Modified : 12/18/2020 1:19:34 PM modifyTimeStamp : 12/18/2020 1:19:34 PM mS-DS-ConsistencyGuid : {32, 103, 80, 151...} msDS-SupportedEncryptionTypes : 0 msDS-User-Account-Control-Computed : 0 msExchBypassAudit : False msExchPreviousRecipientTypeDetails : 1 msExchRecipientSoftDeletedStatus : 0 msExchUMDtmfMap : {lastNameFirstName:2266666299355, firstNameLastName:6299355226666} Name : USER LASTNAME nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=DomainName,DC=local ObjectClass : user ObjectGUID : 97506720-3ae7-4364-898b-e1fa734ed821 objectSid : S-1-5-21-2029862695-1482051392-3921772031-28167 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 12/8/2020 4:48:43 PM PasswordNeverExpires : False PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=DomainName,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False proxyAddresses : {[email protected]} pwdLastSet : 132519413236813439 SamAccountName : mLASTNAME sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 ServicePrincipalNames : {} showInAddressBook : {REDACTED} SID : S-1-5-21-2029862695-1482051392-3921772031-28167 SIDHistory : {} SmartcardLogonRequired : False sn : LASTNAME st : IL State : IL StreetAddress : Surname : LASTNAME Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 512 userCertificate : {} UserPrincipalName : [email protected] uSNChanged : 62837343 uSNCreated : 28616664 whenChanged : 12/18/2020 1:19:34 PM whenCreated : 6/29/2020 12:05:53 PM
-
@jt1001001 User was disabled on 8/11/2020 originally and enabled again on 11/12/2020. The day he got re-enabled was the issues started happening
-
@dbeato Here is screenshot. I dont see a sync at all in logs at 7:59 in the sync service manager. Yet the audit logs show the disable account sync at that time.
The user principal name in the activity log is showing the sync coming from the same DC, so not sure what is going on.
-
@Romo said in User Account getting disabled in Azure:
ame in the activity log is showing the sync coming from the same DC, so not sure what is going on.
On the Delta import warnings, what is the issue there?
-
@dbeato exported-change-not-reimported
-
@Romo Got it, not relevant then. Let me see what I can find on the Azure side then.
-
@dbeato Imgur not working apparently couldn't load the other image.
-
@Romo said in User Account getting disabled in Azure:
LastBadPasswordAttempt
It looks like the account is being targeted by LastBadPasswordAttempt
-
@dbeato Targeted?
@Romo said in User Account getting disabled in Azure:
BadLogonCount : 0
badPasswordTime : 132526283882223437
badPwdCount : 0Shouldn't the BadLogonCount raise if bad passwords were tried?
-
@Romo Yes, but the thing is there is two side to this, the Azure AD end (Office 365) and AD itself. However I believe the issue might be hard to pinpoint unless you go to the last 24 hours of Azure Signins logs ans see that account or check the audit logs. Also does this account have MFA enabled?
-
@dbeato No signing attempts at all during the weekend, but the account is still getting disabled and enabled on its own as shown in the azure audit logs.
-
Could there be something automated trying to log in over and over again with a bad password?
-
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
wouldn't the logs pickup the attempt? Thought he said the logs showed no attempts?
-
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.
-
@Romo said in User Account getting disabled in Azure:
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.
why are you assuming sync? You're logs there have shown you nothing, right?
-
@Dashrender The Synchronization service manager application logs dont show the "sync" that the azure logs show sending the disable account change, but azure does show this "sync", the Actiion Client Name is Directory Sync as well
What I cant seem to find, is where this disabled account value is coming from if AD is showing the account as active and enabled.