How to Detect Who Disabled a User Account in Active Directory

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it → Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies > Audit Policy:
    • Audit account management → Define → Success.
  2. Go to Event Log → Define:
    • Maximum security log size to 4GB
    • Retention method for security log to Overwrite events as needed.
  3. Link the new GPO to OU with User Accounts → Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  4. Force the group policy update → In "Group Policy Management" → Right-click the defined OU → Click on "Group Policy Update".
  5. Open ADSI Edit → Connect to Default naming context → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and Descendant objects" → Permissions → Select all check boxes except the following:
    • Full Control
    • List Contents
    • Read all properties
    • Read permissions → Click "OK".
  6. Open Event viewer and search Security log for event ID’s 4725 (User Account Management task category).
Microsoft Windows Security Event 4725: A user account was disabled
  1. Run Netwrix Auditor → Navigate to "Search" → Click on "Advanced mode" if not selected → Set up the following filters:
    • Filter = "Data source"
      Operator = "Equals"
      Value = "Active Directory"
    • Filter = "Details"
      Operator = "Contains"
      Value = "User Account Disabled"
  2. Click the "Search" button and review who disabled which user accounts in your Active Directory.
Netwrix Auditor Search: who disabled a user account in Active Directory

Detect Disabled Users in Active Directory and Determine Who Disabled Them

If a user can’t log into IT systems with Windows authentication, one of the reasons behind could be an accidentally performed change to system configuration. An incorrect change to system configuration can accidentally disable a user in Active Directory. Disabled users in Active Directory may be unable to access critical resources such as email, files and SharePoint, disrupting the seamless flow of operations. Therefore, IT pros needs to be able to detect when accounts are disabled and quickly determine who made the changes that resulted in Active Directory disabled account.

Netwrix Auditor for Active Directory offers a Google-like Interactive Search feature that helps IT pros detect Active Directory disabled accounts. It also includes a predefined report that shows changes to user account status, including details about who made each change that disabled users in Active Directory and when the change was made. Moreover, Netwrix Auditor for Active Directory can send a real-time alert whenever there’s a status change in an Active Directory account, empowering IT pros to detect disabled user accounts much faster.

 

Related How-tos