Aloha #Infosec #DFIR and #Microsoft sysadmin community.

I'm wondering if anyone can explain me why there is still one last 4624 Event logged on the DC after a user has been disabled (EventID 4725)?

The tested scenario was I've logged into the Win10 client, disabled the user on the DC, logged out on the Win10 client and tried to unsuccesfully login again but the DC still logged the 4624 Event?

Can someone please explain that to me? Please also share to extend my reach :) Muchas gracias