locked
How to know when was an Account Disabled RRS feed

  • Question

  • Below link explains difference about "Account expired and Account Disabled". 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/682c1b80-ae6b-45c4-9d0f-cf80b75f6264/account-expired-and-account-disabled-what-is-the-difference?forum=winserverDS

    How do I find from the user's properties windows that when was the account disabled ? I need the date & time.



    • Edited by Mihir_7 Monday, June 29, 2015 10:25 AM
    Monday, June 29, 2015 9:05 AM

Answers

  • Hi,

    There is no such a timestamp attribute in AD that indicate account’s disable date. The most reliable one you can refer to is the “whenChanged” at an account’s properties dialog, assuming that no other changes have been made since then.
     
    Another way is to monitor the Event ID: 4725 security logs (it's event 629 in Windows Server 2003 ), which will be logged when a user is disabled. However, this is something you have to plan for before the disable actually happens – enabling the “Account Management” auditing policy.
     

    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, June 30, 2015 10:07 AM
  • Please checkout this earlier discussed thread having suggested solution to gest this job done - AD Users Disabled Date: https://social.technet.microsoft.com/Forums/en-US/2560e797-a929-4fe0-bfcb-8e7d850d865b/ad-users-disabled-date

    Find account’s disable date and more in AD: http://rajdude.com/blog/find-accounts-disable-date-and-more-in-ad/

    There are some attributes that help you decide if an AD user account or computer account is active or inactive: https://www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit-singh

    Hope it helps you!
    Monday, June 29, 2015 10:22 AM

All replies

  • Hi,

    You can use the below script which gives you the output on account details and last login date and account status.

    Get-Aduser -Filter * -Properties *|select name,@{n="memberof";e={[string]$_.memberof}},SamAccountName,PasswordExpired,PasswordLastSet,LastLogonDate,Enabled,DistinguishedName,DisplayName,GivenName,SurName|export-csv C:\output.csv

    Monday, June 29, 2015 10:08 AM
  • Please checkout this earlier discussed thread having suggested solution to gest this job done - AD Users Disabled Date: https://social.technet.microsoft.com/Forums/en-US/2560e797-a929-4fe0-bfcb-8e7d850d865b/ad-users-disabled-date

    Find account’s disable date and more in AD: http://rajdude.com/blog/find-accounts-disable-date-and-more-in-ad/

    There are some attributes that help you decide if an AD user account or computer account is active or inactive: https://www.linkedin.com/pulse/cleaning-up-obsolete-user-computer-accounts-from-active-ajit-singh

    Hope it helps you!
    Monday, June 29, 2015 10:22 AM
  • Hi,

    There is no such a timestamp attribute in AD that indicate account’s disable date. The most reliable one you can refer to is the “whenChanged” at an account’s properties dialog, assuming that no other changes have been made since then.
     
    Another way is to monitor the Event ID: 4725 security logs (it's event 629 in Windows Server 2003 ), which will be logged when a user is disabled. However, this is something you have to plan for before the disable actually happens – enabling the “Account Management” auditing policy.
     

    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, June 30, 2015 10:07 AM