ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    User Account getting disabled in Azure

    Scheduled Pinned Locked Moved IT Discussion
    ad sync
    27 Posts 6 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jt1001001J
      jt1001001
      last edited by

      Did a new user get created with a duplicate email address? Had that happen once that messed things up.

      RomoR 1 Reply Last reply Reply Quote 1
      • RomoR
        Romo @Obsolesce
        last edited by

        @Obsolesce here is the info

        AccountExpirationDate                :
        accountExpires                       : 9223372036854775807
        AccountLockoutTime                   :
        AccountNotDelegated                  : False
        AllowReversiblePasswordEncryption    : False
        AuthenticationPolicy                 : {}
        AuthenticationPolicySilo             : {}
        BadLogonCount                        : 0
        badPasswordTime                      : 132526283882223437
        badPwdCount                          : 0
        c                                    : US
        CannotChangePassword                 : False
        CanonicalName                        : DomainName.local/SITE - Location/Location Users/USER LASTNAME
        Certificates                         : {}
        City                                 : Location
        CN                                   : USER LASTNAME
        co                                   : United States
        codePage                             : 0
        Company                              :
        CompoundIdentitySupported            : {False}
        Country                              : US
        countryCode                          : 840
        Created                              : 6/29/2020 12:05:53 PM
        createTimeStamp                      : 6/29/2020 12:05:53 PM
        Deleted                              :
        Department                           :
        Description                          : FD 8/11/2020-Enabled 11/12/2020
        DisplayName                          : USER LASTNAME
        DistinguishedName                    : CN=USER LASTNAME,OU=Location Users,OU=SITE - Location,DC=DomainName,DC=local
        Division                             :
        DoesNotRequirePreAuth                : False
        dSCorePropagationData                : {12/18/2020 1:19:34 PM, 12/18/2020 1:17:50 PM, 12/18/2020 1:10:57 PM,
                                               11/12/2020 2:31:00 PM...}
        EmailAddress                         : [email protected]
        EmployeeID                           :
        EmployeeNumber                       :
        Enabled                              : True
        Fax                                  :
        GivenName                            : USER
        HomeDirectory                        :
        HomedirRequired                      : False
        HomeDrive                            :
        HomePage                             :
        HomePhone                            :
        Initials                             :
        instanceType                         : 4
        isDeleted                            :
        KerberosEncryptionType               : {None}
        l                                    : Location
        LastBadPasswordAttempt               : 12/16/2020 3:39:48 PM
        LastKnownParent                      :
        lastLogoff                           : 0
        lastLogon                            : 132526894973219910
        LastLogonDate                        : 12/14/2020 8:01:11 AM
        lastLogonTimestamp                   : 132524280715790975
        LockedOut                            : False
        lockoutTime                          : 0
        logonCount                           : 69
        LogonWorkstations                    :
        mail                                 : [email protected]
        Manager                              :
        MemberOf                             : {REDACTED}
        MNSLogonAccount                      : False
        MobilePhone                          :
        Modified                             : 12/18/2020 1:19:34 PM
        modifyTimeStamp                      : 12/18/2020 1:19:34 PM
        mS-DS-ConsistencyGuid                : {32, 103, 80, 151...}
        msDS-SupportedEncryptionTypes        : 0
        msDS-User-Account-Control-Computed   : 0
        msExchBypassAudit                    : False
        msExchPreviousRecipientTypeDetails   : 1
        msExchRecipientSoftDeletedStatus     : 0
        msExchUMDtmfMap                      : {lastNameFirstName:2266666299355, firstNameLastName:6299355226666}
        Name                                 : USER LASTNAME
        nTSecurityDescriptor                 : System.DirectoryServices.ActiveDirectorySecurity
        ObjectCategory                       : CN=Person,CN=Schema,CN=Configuration,DC=DomainName,DC=local
        ObjectClass                          : user
        ObjectGUID                           : 97506720-3ae7-4364-898b-e1fa734ed821
        objectSid                            : S-1-5-21-2029862695-1482051392-3921772031-28167
        Office                               :
        OfficePhone                          :
        Organization                         :
        OtherName                            :
        PasswordExpired                      : False
        PasswordLastSet                      : 12/8/2020 4:48:43 PM
        PasswordNeverExpires                 : False
        PasswordNotRequired                  : False
        POBox                                :
        PostalCode                           :
        PrimaryGroup                         : CN=Domain Users,CN=Users,DC=DomainName,DC=local
        primaryGroupID                       : 513
        PrincipalsAllowedToDelegateToAccount : {}
        ProfilePath                          :
        ProtectedFromAccidentalDeletion      : False
        proxyAddresses                       : {[email protected]}
        pwdLastSet                           : 132519413236813439
        SamAccountName                       : mLASTNAME
        sAMAccountType                       : 805306368
        ScriptPath                           :
        sDRightsEffective                    : 15
        ServicePrincipalNames                : {}
        showInAddressBook                    : {REDACTED}
        SID                                  : S-1-5-21-2029862695-1482051392-3921772031-28167
        SIDHistory                           : {}
        SmartcardLogonRequired               : False
        sn                                   : LASTNAME
        st                                   : IL
        State                                : IL
        StreetAddress                        :
        Surname                              : LASTNAME
        Title                                :
        TrustedForDelegation                 : False
        TrustedToAuthForDelegation           : False
        UseDESKeyOnly                        : False
        userAccountControl                   : 512
        userCertificate                      : {}
        UserPrincipalName                    : [email protected]
        uSNChanged                           : 62837343
        uSNCreated                           : 28616664
        whenChanged                          : 12/18/2020 1:19:34 PM
        whenCreated                          : 6/29/2020 12:05:53 PM
        
        1 Reply Last reply Reply Quote 0
        • RomoR
          Romo @jt1001001
          last edited by

          @jt1001001 User was disabled on 8/11/2020 originally and enabled again on 11/12/2020. The day he got re-enabled was the issues started happening

          1 Reply Last reply Reply Quote 0
          • RomoR
            Romo @dbeato
            last edited by

            @dbeato Here is screenshot. I dont see a sync at all in logs at 7:59 in the sync service manager. Yet the audit logs show the disable account sync at that time.

            270d4eb3-f3f3-413a-9877-1c63b770ec3b-image.png

            The user principal name in the activity log is showing the sync coming from the same DC, so not sure what is going on.

            1 Reply Last reply Reply Quote 0
            • dbeatoD
              dbeato
              last edited by

              @Romo said in User Account getting disabled in Azure:

              ame in the activity log is showing the sync coming from the same DC, so not sure what is going on.

              On the Delta import warnings, what is the issue there?

              RomoR 1 Reply Last reply Reply Quote 0
              • RomoR
                Romo @dbeato
                last edited by Romo

                @dbeato exported-change-not-reimported
                exported-change-not-reimported.png

                dbeatoD 1 Reply Last reply Reply Quote 0
                • dbeatoD
                  dbeato @Romo
                  last edited by

                  @Romo Got it, not relevant then. Let me see what I can find on the Azure side then.

                  RomoR 1 Reply Last reply Reply Quote 0
                  • RomoR
                    Romo @dbeato
                    last edited by

                    @dbeato Imgur not working apparently couldn't load the other image.

                    1 Reply Last reply Reply Quote 0
                    • dbeatoD
                      dbeato
                      last edited by

                      @Romo said in User Account getting disabled in Azure:

                      LastBadPasswordAttempt

                      It looks like the account is being targeted by LastBadPasswordAttempt

                      1 Reply Last reply Reply Quote 1
                      • RomoR
                        Romo
                        last edited by

                        @dbeato Targeted?

                        @Romo said in User Account getting disabled in Azure:

                        BadLogonCount : 0
                        badPasswordTime : 132526283882223437
                        badPwdCount : 0

                        Shouldn't the BadLogonCount raise if bad passwords were tried?

                        dbeatoD 1 Reply Last reply Reply Quote 1
                        • dbeatoD
                          dbeato @Romo
                          last edited by

                          @Romo Yes, but the thing is there is two side to this, the Azure AD end (Office 365) and AD itself. However I believe the issue might be hard to pinpoint unless you go to the last 24 hours of Azure Signins logs ans see that account or check the audit logs. Also does this account have MFA enabled?

                          RomoR 1 Reply Last reply Reply Quote 1
                          • RomoR
                            Romo @dbeato
                            last edited by

                            @dbeato No signing attempts at all during the weekend, but the account is still getting disabled and enabled on its own as shown in the azure audit logs.

                            1 Reply Last reply Reply Quote 1
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              Could there be something automated trying to log in over and over again with a bad password?

                              DashrenderD RomoR 2 Replies Last reply Reply Quote 1
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said in User Account getting disabled in Azure:

                                Could there be something automated trying to log in over and over again with a bad password?

                                wouldn't the logs pickup the attempt? Thought he said the logs showed no attempts?

                                1 Reply Last reply Reply Quote 0
                                • RomoR
                                  Romo @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in User Account getting disabled in Azure:

                                  Could there be something automated trying to log in over and over again with a bad password?

                                  No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.

                                  DashrenderD 1 Reply Last reply Reply Quote 0
                                  • DashrenderD
                                    Dashrender @Romo
                                    last edited by

                                    @Romo said in User Account getting disabled in Azure:

                                    @scottalanmiller said in User Account getting disabled in Azure:

                                    Could there be something automated trying to log in over and over again with a bad password?

                                    No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.

                                    why are you assuming sync? You're logs there have shown you nothing, right?

                                    RomoR 1 Reply Last reply Reply Quote 0
                                    • RomoR
                                      Romo @Dashrender
                                      last edited by

                                      @Dashrender The Synchronization service manager application logs dont show the "sync" that the azure logs show sending the disable account change, but azure does show this "sync", the Actiion Client Name is Directory Sync as well

                                      42c4ed7e-47f1-451d-914b-a850a1e9558a-image.png

                                      What I cant seem to find, is where this disabled account value is coming from if AD is showing the account as active and enabled.

                                      dbeatoD DashrenderD 2 Replies Last reply Reply Quote 0
                                      • dbeatoD
                                        dbeato @Romo
                                        last edited by

                                        @Romo Okay, so I mean on the Sync logs it should show on the DC the account being synced. If I recall in the past I saw a bug on Microsoft end on this and upgrading the Azure AD Connect server to the latest versioned worked (Not saying you need to do that but I am still trying to find the article on this).

                                        1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @Romo
                                          last edited by

                                          @Romo said in User Account getting disabled in Azure:

                                          @Dashrender The Synchronization service manager application logs dont show the "sync" that the azure logs show sending the disable account change, but azure does show this "sync", the Actiion Client Name is Directory Sync as well

                                          42c4ed7e-47f1-451d-914b-a850a1e9558a-image.png

                                          What I cant seem to find, is where this disabled account value is coming from if AD is showing the account as active and enabled.

                                          right, so with that in hand, why are you looking to the sync at all? Why not focus solely on Azure to find the issue?

                                          I'm also curious, if Azure is showing it as disabled - why is that not being sync'ed back to AD and disabling there? do you have one way sync setup?

                                          dbeatoD 1 Reply Last reply Reply Quote 0
                                          • dbeatoD
                                            dbeato @Dashrender
                                            last edited by

                                            @Dashrender said in User Account getting disabled in Azure:

                                            o curious, if Azure is showing it as disabled - why is that not be

                                            Azure Sync doesn't sync back to AD. it is the other way around.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post