Hey everyone, I've noticed some events tagged as ID 4768 popping up from eight of our Domain Controllers. I recognize the usernames and the DCs involved, but I'm trying to figure out why the default administrator account is logging in. Is it safe to disable that administrator account? In general, is that good practice? I get that monitoring event ID 4768 is important for accounts linked to high-value roles, like domain and local administrators, but I'd love some insight here.
1 Answer
It seems like a service on your Domain Controller needed Kerberos authentication (TGT) since it's logging from 127.0.0.1. I would recommend holding off on disabling the built-in admin account until you can confirm which services require it. Disabling the account might lead to disruptions, including authentication issues and logon problems for services.
How can I find out which services need it or troubleshoot this?