Solved: Re: Windows Event Code 4798 for Disabled Accounts

michaeler · ‎03-23-2021

I admin an Enterprise instance. I was adding a report for use of service/default accounts when I noticed all of the built-in accounts (Visitor, DefaultAdmin, etc) generated the Event Code 4798, EventType=Audit Success, four times a day on the workstations. All of these accounts are disabled.

I'm assuming this is the system verifying that the built-in accounts are still disabled but I wanted to make sure.

Can anyone confirm this or let me know what it actually means?

hoaxm3 · ‎03-23-2021

Yes, can confirm, groups are enumerated all day every day, so this traffic is relatively normal. If you are concerned: you can look to bring in AD information: https://splunkbase.splunk.com/app/1151/#/overview and then look for any logins (4624, 4768,4776,etc.) searching for the disabled users.

View solution in original post

hoaxm3 · ‎03-23-2021

Yes, can confirm, groups are enumerated all day every day, so this traffic is relatively normal. If you are concerned: you can look to bring in AD information: https://splunkbase.splunk.com/app/1151/#/overview and then look for any logins (4624, 4768,4776,etc.) searching for the disabled users.

michaeler · ‎03-23-2021

Thanks. They didn't generate any other Event Codes so I figured as such.

Windows Event Code 4798 for Disabled Accounts

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!