Users whose accounts have been disabled, either accidentally or maliciously, are unable to log into IT systems using Windows authentication. Those who are already logged in might experience problems accessing email, files, SharePoint, etc.
By native auditing you should go through 6 steps listed below:
Run gpedit.msc -> Create a new GPO -> Edit it -> Go to “Computer Configuration” -> Policies -> Windows Settings -> Security Settings -> Local Policies > Audit Policy:
Audit account management -> Define -> Success.
Go to Event Log -> Define:
- Maximum security log size to 4GB
- Retention method for security log to Overwrite events as needed.
Link the new GPO to OU with User Accounts -> Go to “Group Policy Management” -> Right-click the defined OU -> Choose “Link an Existing GPO” -> Choose the GPO that you’ve created.
Force the group policy update -> In “Group Policy Management” -> Right-click the defined OU -> Click on “Group Policy Update”.
Open ADSI Edit -> Connect to Default naming context -> Right-click DomainDNS object with the name of your domain -> Properties -> Security (Tab) -> Advanced (Button)-> Auditing (Tab) -> Add Principal “Everyone” -> Type “Success” -> Applies to “This object and Descendant objects” -> Permissions ? Select all check boxes except the following:
- Full Control
- List Contents
- Read all properties
- Read permissions > Click “OK”.
Open Event viewer and search Security log for event ID’s 4725 (User Account Management task category)
For comparison, with Netwrix Auditor for Active Directory you would need to go only through 3 simple steps:
- Run Netwrix Auditor -> Click “Search” -> Advanced -> Set up the following filters:
- Audited System = Active Directory
- Object Type = User.
- Click “Modify”, type in “disabled” into the search field and click “Search”.
- After that, you will see who disabled which account in your domain.