User Account getting disabled in Azure
-
Did a new user get created with a duplicate email address? Had that happen once that messed things up.
-
@Obsolesce here is the info
AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 132526283882223437 badPwdCount : 0 c : US CannotChangePassword : False CanonicalName : DomainName.local/SITE - Location/Location Users/USER LASTNAME Certificates : {} City : Location CN : USER LASTNAME co : United States codePage : 0 Company : CompoundIdentitySupported : {False} Country : US countryCode : 840 Created : 6/29/2020 12:05:53 PM createTimeStamp : 6/29/2020 12:05:53 PM Deleted : Department : Description : FD 8/11/2020-Enabled 11/12/2020 DisplayName : USER LASTNAME DistinguishedName : CN=USER LASTNAME,OU=Location Users,OU=SITE - Location,DC=DomainName,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {12/18/2020 1:19:34 PM, 12/18/2020 1:17:50 PM, 12/18/2020 1:10:57 PM, 11/12/2020 2:31:00 PM...} EmailAddress : [email protected] EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : USER HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {None} l : Location LastBadPasswordAttempt : 12/16/2020 3:39:48 PM LastKnownParent : lastLogoff : 0 lastLogon : 132526894973219910 LastLogonDate : 12/14/2020 8:01:11 AM lastLogonTimestamp : 132524280715790975 LockedOut : False lockoutTime : 0 logonCount : 69 LogonWorkstations : mail : [email protected] Manager : MemberOf : {REDACTED} MNSLogonAccount : False MobilePhone : Modified : 12/18/2020 1:19:34 PM modifyTimeStamp : 12/18/2020 1:19:34 PM mS-DS-ConsistencyGuid : {32, 103, 80, 151...} msDS-SupportedEncryptionTypes : 0 msDS-User-Account-Control-Computed : 0 msExchBypassAudit : False msExchPreviousRecipientTypeDetails : 1 msExchRecipientSoftDeletedStatus : 0 msExchUMDtmfMap : {lastNameFirstName:2266666299355, firstNameLastName:6299355226666} Name : USER LASTNAME nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=DomainName,DC=local ObjectClass : user ObjectGUID : 97506720-3ae7-4364-898b-e1fa734ed821 objectSid : S-1-5-21-2029862695-1482051392-3921772031-28167 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 12/8/2020 4:48:43 PM PasswordNeverExpires : False PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=DomainName,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False proxyAddresses : {[email protected]} pwdLastSet : 132519413236813439 SamAccountName : mLASTNAME sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 ServicePrincipalNames : {} showInAddressBook : {REDACTED} SID : S-1-5-21-2029862695-1482051392-3921772031-28167 SIDHistory : {} SmartcardLogonRequired : False sn : LASTNAME st : IL State : IL StreetAddress : Surname : LASTNAME Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 512 userCertificate : {} UserPrincipalName : [email protected] uSNChanged : 62837343 uSNCreated : 28616664 whenChanged : 12/18/2020 1:19:34 PM whenCreated : 6/29/2020 12:05:53 PM -
@jt1001001 User was disabled on 8/11/2020 originally and enabled again on 11/12/2020. The day he got re-enabled was the issues started happening
-
@dbeato Here is screenshot. I dont see a sync at all in logs at 7:59 in the sync service manager. Yet the audit logs show the disable account sync at that time.
The user principal name in the activity log is showing the sync coming from the same DC, so not sure what is going on.
-
@Romo said in User Account getting disabled in Azure:
ame in the activity log is showing the sync coming from the same DC, so not sure what is going on.
On the Delta import warnings, what is the issue there?
-
@dbeato exported-change-not-reimported
-
@Romo Got it, not relevant then. Let me see what I can find on the Azure side then.
-
@dbeato Imgur not working apparently couldn't load the other image.
-
@Romo said in User Account getting disabled in Azure:
LastBadPasswordAttempt
It looks like the account is being targeted by LastBadPasswordAttempt
-
@dbeato Targeted?
@Romo said in User Account getting disabled in Azure:
BadLogonCount : 0
badPasswordTime : 132526283882223437
badPwdCount : 0Shouldn't the BadLogonCount raise if bad passwords were tried?
-
@Romo Yes, but the thing is there is two side to this, the Azure AD end (Office 365) and AD itself. However I believe the issue might be hard to pinpoint unless you go to the last 24 hours of Azure Signins logs ans see that account or check the audit logs. Also does this account have MFA enabled?
-
@dbeato No signing attempts at all during the weekend, but the account is still getting disabled and enabled on its own as shown in the azure audit logs.
-
Could there be something automated trying to log in over and over again with a bad password?
-
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
wouldn't the logs pickup the attempt? Thought he said the logs showed no attempts?
-
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.
-
@Romo said in User Account getting disabled in Azure:
@scottalanmiller said in User Account getting disabled in Azure:
Could there be something automated trying to log in over and over again with a bad password?
No signint attempts during the weekend, interactive or uninterective where logged int the azure logs, but the account still kept getting disabled and enabled by sync or something.
why are you assuming sync? You're logs there have shown you nothing, right?
-
@Dashrender The Synchronization service manager application logs dont show the "sync" that the azure logs show sending the disable account change, but azure does show this "sync", the Actiion Client Name is Directory Sync as well
What I cant seem to find, is where this disabled account value is coming from if AD is showing the account as active and enabled.
-
@Romo Okay, so I mean on the Sync logs it should show on the DC the account being synced. If I recall in the past I saw a bug on Microsoft end on this and upgrading the Azure AD Connect server to the latest versioned worked (Not saying you need to do that but I am still trying to find the article on this).
-
@Romo said in User Account getting disabled in Azure:
@Dashrender The Synchronization service manager application logs dont show the "sync" that the azure logs show sending the disable account change, but azure does show this "sync", the Actiion Client Name is Directory Sync as well
What I cant seem to find, is where this disabled account value is coming from if AD is showing the account as active and enabled.
right, so with that in hand, why are you looking to the sync at all? Why not focus solely on Azure to find the issue?
I'm also curious, if Azure is showing it as disabled - why is that not being sync'ed back to AD and disabling there? do you have one way sync setup?
-
@Dashrender said in User Account getting disabled in Azure:
o curious, if Azure is showing it as disabled - why is that not be
Azure Sync doesn't sync back to AD. it is the other way around.
