Windows Server 2012 R2 – Find out who Disabled an User Account in Active Directory

Always fun to try to figure out what is happening on your network or server. Especially if something happened and no one knows who did it. It is not much fun for user if he cannot login and his or her account has been disabled, either by accident or maliciously. If you setup properly audit in Active Directory it is very easy to find out in event logs who did what and why.

Here are steps how to setup detection of who disabled account in Active Directory on Windows Server 2012 R2.

  • Run gpedit.msc > Create a new GPO > Edit it > Go to “Computer Configuration” > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy:
  • Click Audit account management > Define > Success

In next step

  • Go to Event Log > Define:
  • Maximum security log size 4 GB
  • Retention method for security log to Overwrite events as needed

In next step  link this created GPO to your USERS OU in Active Directory.

  • Force the group policy update > In “Group Policy Management” > Right-click the defined OU > Click on “Group Policy Update
  • Open ADSI Edit > connect to Default naming context > Right-click DomainDNS object with the name of your domain
  • Click Properties > Security Tab > Advanced button > Auditing Tab > Permissions > Select all check boxes except the following:
  • Full ControlList ContentsRead all propertiesRead permissions > click “OK

Now you can go to test your new audit policy in Active Directory, go to USERS OU and disable some user account. Open Event viewer and search Security log for event ID 4725 (User Account Management task category). Once you located the event ID you should see the disabled account and your name as the one who disabled the account in Active Directory.

Incase you want to pull all these events from log in PowerShell:

PS C:\>Get-EventLog -LogName Security -Newest 10 | Where-Object { $_.EventID -eq 4725 }

This way you can check if such events happened on your server before you want to see details about the event.

Leave a Reply