Deleted User Account appearing in EventLog RRS feed

  • Question

  • We have an issue wherein a known deleted user account was listed yesterday in our event logs as attempting to access a workstation on our network. There is no record of this user in AD, on the workstation's local users and groups or any other remote access software. We removed this user's account approximately 1.5 years ago yet it appeared in an audit of the event log.

    What steps can we take to ensure that there is no further account for this user beyond Active Directory, the workstation's local users and groups and all remote access software? And what further forensic steps should be taken to discover the source of this attempted access?

    Wednesday, March 16, 2016 5:41 PM