locked
Need to Know the Date When an AD Object was disabled RRS feed

  • General discussion

  • Hi Guys, I need to know when -- on which date -- an AD User-Account was disabled.

    I can use the LDAP Filter to list all disabled User-Accounts. No problem here. But, I also need to know on which date these accounts were disabled. Please help.

    I can use the "WhenChanged" attribute to know when the account was last modified. The below code will give me the date when the object was last modified.

    Set objUser = GetObject("LDAP://cn=ken myer, ou=Finance, dc=fabrikam, dc=com")
    WScript.Echo objUser.WhenChanged

    But that does not give me the exact date on which the account was "Disabled". I need to know the date on which the Ad account was "Disabled" -- User Account Or Computer account any one will do.

    Please help ! Any suggestion or pointer is greatly appreciated.

    Monday, September 1, 2014 1:40 PM

All replies

  • If auditing is turned on it will be in  the Event Log of the DC that handled the item.  Post in Directory Services forum to learn how to audit and track AD events.

    Get-WinEvent -FilterHashtable @{Logname='Security';ID=4725} -Computer DC1

    HELP Get-WinEvent -Full


    ¯\_(ツ)_/¯

    Monday, September 1, 2014 2:02 PM
  • Here is how to XPath a specific user account by SamAccountName

    $targetUser='test.user'
    $xpath2="*[System[EventID=4725] and EventData[Data[@Name='TargetUserName']='$targetUser']]"
    Get-WinEvent -FilterXPath $xpath2 -LogName Security


    ¯\_(ツ)_/¯

    Monday, September 1, 2014 2:16 PM
  • Thanks
    Friday, September 5, 2014 8:12 PM