How to detect who disabled a user in Active Directory

This method is a pretty straightforward approach when using a third-party Software to monitor the Active Directory. These tools help in mitigating challenges when it comes to managing and monitoring AD. In this article, we shall discuss how to detect who disabled a user in Active Directory. Please see how to detect if an application was uninstalled on Windows: Find out who has uninstalled an application via Windows Event Viewer, and how to find out who restarted Windows Server.

Some monitoring tools and software are as follows.

• Data Protection Manager from Microsoft
• Microsoft System Center Management Pack for ADDS
• Spiceworks
• Netwrix
• SolarWinds Server and Application Manager
• ManageEngine ADManager Plus
• ManageEngine ADAudit Plus
• Lepide Active Directory Auditor
• Netwrix Auditor for AD
• Quest Active Administrator
• Varonis
• FirstWare AD-Inspector
• Quest Active Administrator
• PRTG Active Directory Monitor

Many others are capable of monitoring the Active Directory environment (detect who disabled a user in Active Directory).

Determine who has disabled a user

To determine who has disabled a user using built-in Active Directory tools, follow the steps below. Launch the Group Policy Management tool

Create a new GPO

Name the GPO whatever you desire as shown below

Now edit the newly created GPO as shown below

Enable the Audit Policy

This will be open the “Group Policy Management Editor”
– Go to “Computer Configuration”
– Click on Policies
– Windows Settings
– Security Settings
– Local Policies and
– Audit Policy: Here on the “Audit account management”
– Define these policy settings to “Success”

The result will be as shown below

Define the log Size

Next, navigate to Event Log and define the policy settings as shown below. Maximum security log size to 4194304 KB

Retention method for security log to Overwrite events as needed.

Next, link the new GPO to the OU with User Accounts that you want to audit
– Go to “Group Policy Management”
– Right-click the defined OU
– Choose “Link an Existing GPO”

Choose the GPO that you’ve created.

In this way, the GPO will be linked to the OU as shown below

Next, update the group policy on the Employee OU. Here are the steps to do this below

On the Group Policy Management prompt as shown below. Click on OK

Fire up the ADSI Edit Tool

This will open the ADSI Tool and click on Connect to

Connect to Default naming context

Right-click DomainDNS object with the name of your domain “Mine here is TechDirectArchive”

Click on Properties and then switch to the Security tab. Click on Advanced

This will open the “Advanced Security Settings for your domain “TechDirectArchive”. Navigate to the Auditing tab

Add User, Computer or Group etc

Add Principal “Everyone”

Click on Success “Success”. This applies to “This object and Descendant objects”.

Permissions: Select all checkboxes except the following not checked in the image below

The screenshot below is the result of the permissions assigned to everyone

Click on “ok” to close the security properties windows. To test, open the “Event Viewer”. See the Various methods to launch the Event Viewer.

Navigate to the Windows log, Security, and click on “Filter Current Log”.

Search the Security log for event ID 4725 (User Account Management task category)

This will display the number of disabled users in the Event log as performed

Also, see Viewing Scheduled Events on AW using the Command Line (CLI), and how to Query MBAM to display the BitLocker Recovery report.

FAQs

I hope you found this article useful on How to detect who disabled a user in Active Directory. Please feel free to leave a comment below.