User Account getting disabled in Azure
-
Trying to figure out why a user account is constantly getting disabled in Azure. The site has AD sync running, the local AD user is not disabled but the audit logs in azure shows the sync is sending the Disable Account attribute change for some reason.
Any idea what else to check to get a better understanding of why this could be happening.
-
@Romo said in User Account getting disabled in Azure:
Any idea what else to check
What do the DC/AD logs say
-
@Obsolesce
In AD, I see the sync logs happening at 1:12 and 1:42, I see no AD sync log in the logs at 1:28 or 1:58 which seem to be the ones disabling the account.The Synchronization service manager also shows the syncs occurring at 1:12 and 1:42
Azure also reports the syncs coming from the same machine, so it doesn't seem like the client has another sync running.
-
@Romo said in User Account getting disabled in Azure:
@Obsolesce
In AD, I see the sync logs happening at 1:12 and 1:42, I see no AD sync log in the logs at 1:28 or 1:58 which seem to be the ones disabling the account.The Synchronization service manager also shows the syncs occurring at 1:12 and 1:42
Azure also reports the syncs coming from the same machine, so it doesn't seem like the client has another sync running.
Not the sync logs, I meant the actual DC/AD audit logs that contain the info of that user account.
You do have auditing turn on correct? At least the bare minimum, which includes the User Account Management one? As well as others.
If not, you'll have to look into all the reasons that would cause an account to be disabled on AAD.
Are you sure the account is not disabled in AD, or have login disabled, or somewhere that is no longer being synchronized? Not sure what all reasons there are without being able to look, that that's a few.
-
@Obsolesce said in User Account getting disabled in Azure:
would cause an account to be disabled on AAD.
AD audit logs don't show the account as getting disabled at all, the only entry I see there is when I manually disabled the account today to try to get a log at 2:03:56PM
Account was enabled at 7:40:55 PM
Only after the account was enabled in AD, the sync once again properly enabled the account in Azure but something disabled it again minutes after and the cycle of enabling and disabling started again.
Currently the account is still showing as enabled in AD and no further security audit logs are shown accept the above screenshots.
-
Can you show the AD Connect SYnc logs at both those times?
-
Can you do a dump of all AD properties of the user from PowerShell?
Get-ADUser -Identity "user" -Properties *... redacting confidential stuff first of course before posting it. -
Did a new user get created with a duplicate email address? Had that happen once that messed things up.
-
@Obsolesce here is the info
AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 132526283882223437 badPwdCount : 0 c : US CannotChangePassword : False CanonicalName : DomainName.local/SITE - Location/Location Users/USER LASTNAME Certificates : {} City : Location CN : USER LASTNAME co : United States codePage : 0 Company : CompoundIdentitySupported : {False} Country : US countryCode : 840 Created : 6/29/2020 12:05:53 PM createTimeStamp : 6/29/2020 12:05:53 PM Deleted : Department : Description : FD 8/11/2020-Enabled 11/12/2020 DisplayName : USER LASTNAME DistinguishedName : CN=USER LASTNAME,OU=Location Users,OU=SITE - Location,DC=DomainName,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {12/18/2020 1:19:34 PM, 12/18/2020 1:17:50 PM, 12/18/2020 1:10:57 PM, 11/12/2020 2:31:00 PM...} EmailAddress : [email protected] EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : USER HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {None} l : Location LastBadPasswordAttempt : 12/16/2020 3:39:48 PM LastKnownParent : lastLogoff : 0 lastLogon : 132526894973219910 LastLogonDate : 12/14/2020 8:01:11 AM lastLogonTimestamp : 132524280715790975 LockedOut : False lockoutTime : 0 logonCount : 69 LogonWorkstations : mail : [email protected] Manager : MemberOf : {REDACTED} MNSLogonAccount : False MobilePhone : Modified : 12/18/2020 1:19:34 PM modifyTimeStamp : 12/18/2020 1:19:34 PM mS-DS-ConsistencyGuid : {32, 103, 80, 151...} msDS-SupportedEncryptionTypes : 0 msDS-User-Account-Control-Computed : 0 msExchBypassAudit : False msExchPreviousRecipientTypeDetails : 1 msExchRecipientSoftDeletedStatus : 0 msExchUMDtmfMap : {lastNameFirstName:2266666299355, firstNameLastName:6299355226666} Name : USER LASTNAME nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=DomainName,DC=local ObjectClass : user ObjectGUID : 97506720-3ae7-4364-898b-e1fa734ed821 objectSid : S-1-5-21-2029862695-1482051392-3921772031-28167 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 12/8/2020 4:48:43 PM PasswordNeverExpires : False PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=DomainName,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False proxyAddresses : {[email protected]} pwdLastSet : 132519413236813439 SamAccountName : mLASTNAME sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 ServicePrincipalNames : {} showInAddressBook : {REDACTED} SID : S-1-5-21-2029862695-1482051392-3921772031-28167 SIDHistory : {} SmartcardLogonRequired : False sn : LASTNAME st : IL State : IL StreetAddress : Surname : LASTNAME Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 512 userCertificate : {} UserPrincipalName : [email protected] uSNChanged : 62837343 uSNCreated : 28616664 whenChanged : 12/18/2020 1:19:34 PM whenCreated : 6/29/2020 12:05:53 PM -
@jt1001001 User was disabled on 8/11/2020 originally and enabled again on 11/12/2020. The day he got re-enabled was the issues started happening
-
@dbeato Here is screenshot. I dont see a sync at all in logs at 7:59 in the sync service manager. Yet the audit logs show the disable account sync at that time.
The user principal name in the activity log is showing the sync coming from the same DC, so not sure what is going on.
-
@Romo said in User Account getting disabled in Azure:
ame in the activity log is showing the sync coming from the same DC, so not sure what is going on.
On the Delta import warnings, what is the issue there?
-
@dbeato exported-change-not-reimported
-
@Romo Got it, not relevant then. Let me see what I can find on the Azure side then.
-
@dbeato Imgur not working apparently couldn't load the other image.
-
@Romo said in User Account getting disabled in Azure:
LastBadPasswordAttempt
It looks like the account is being targeted by LastBadPasswordAttempt
-
@dbeato Targeted?
@Romo said in User Account getting disabled in Azure:
BadLogonCount : 0
badPasswordTime : 132526283882223437
badPwdCount : 0Shouldn't the BadLogonCount raise if bad passwords were tried?
-
@Romo Yes, but the thing is there is two side to this, the Azure AD end (Office 365) and AD itself. However I believe the issue might be hard to pinpoint unless you go to the last 24 hours of Azure Signins logs ans see that account or check the audit logs. Also does this account have MFA enabled?
-
@dbeato No signing attempts at all during the weekend, but the account is still getting disabled and enabled on its own as shown in the azure audit logs.
-
Could there be something automated trying to log in over and over again with a bad password?
