We have an old Domain Admin account that we're retiring, the account has been disabled but seems to be requesting Kerberos tickets from one of the DCs, how can we track where or what is still using this account.
Below is the Event ID being generated:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Logged: 12/20/2016 16:54:53 Event ID: 4768 Level: Audit Failure User: Computer: DC3.domain.com A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: AdminAcct Supplied Realm Name: domain.com User ID: S-1-0-0 Service Information: Service Name: krbtgt/domain.com Service ID: S-1-0-0 Network Information: Client Address: ::1 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x12 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.