Windows Server

How to detect who disabled a user in Active Directory – Best Monitoring Tools and Software

detect user disablement

This method is a pretty straight forward approach when using a third party Software to monitor Active directory. Some monitoring tools and software are as follows. These tools help in mitigating challenges when it comes to managing and monitoring AD.

  • Data Protection Manager from Microsoft
  • Microsoft System Center Management Pack for ADDS
  • Spiceworks
  • Netwrix https://www.netwrix.com/top_7_freeware_tools.html
  • SolarWinds Server and Application Manager
  • ManageEngine ADManager Plus
  • ManageEngine ADAudit Plus
  • Lepide Active Directory Auditor
  • Netwrix Auditor for AD
  • Quest Active Administrator
  • Varonis
  • FirstWare AD-Inspector
  • Quest Active Administrator
  • PRTG Active Directory Monitor

Above are some tools, and many others are capable of monitoring the Active Directory environment(detect who disabled a user in Active Directory). To determine who has disabled a user using built-in Active Directory tools, follow the steps below.

– Launch the Group Policy Management tool

Active Directory monitoring

– Create a new GPO

monitoring tools

Name the GPO whatever you desire as shown below

detect user disablement

Now and edit the newly created GPO as shown below

Active Directory monitoring

This will be open the “Group Policy Management Editor”
– Go to “Computer Configuration”
– Click on Policies
– Windows Settings
– Security Settings
– Local Policies and
– Audit Policy: Here on the “Audit account management”
– Define these policy settings to “Success”

monitoring tools

The result will be as shown below

software detection

Next, navigate to Event Log and define the policy settings as shown below.
– Maximum security log size to 4194304 KB

detect user disablement

– Retention method for security log to Overwrite events as needed.

monitoring tools

Next, link the new GPO to the OU with User Accounts that you want to audit
– Go to “Group Policy Management”
– Right-click the defined OU
– Choose “Link an Existing GPO”

Active Directory monitoring

– Choose the GPO that you’ve created.

monitoring tools

In this way, the GPO will be link to the OU as shown below

monitoring tools

Next, update the group policy on the Employee OU. Here are the steps to do this below

software detection

On the Group Policy Management prompt as shown below,
– Click on OK

detect user disablement

Fire up the ADSI Edit Tool

Active Directory monitoring

This will open the ADSI Tool and
– Click on connect to

monitoring tools

– Connect to Default naming context

– Right-click DomainDNS object with the name of your domain “Mine here is TechDirectArchive”

– Click on Properties and then
– Switch to the Security tab
– Click on Advanced

This will open the “Advanced Security Settings for your domain “TechDirectArchive”
– Navigate to the Auditing tab

– Add Principal “Everyone”

– Click on Success “Success”
– Applies to “This object and Descendant objects”
– Permissions: Select all checkboxes except the following not checked in the image below

The screenshoot below is the result of the permissions assigned to everyone

And click on “ok” to close the security properties windows

To test, open the “Event Viewer”

– Navigate to the Windows log
– Security
– Click on “Filter Current Log”

– Search Security log for event ID’s 4725 (User Account Management task category)

This will display the number of disabled users in the Event log as performed in this article https://techdirectarchive.com/2020/03/19/how-to-find-disabled-active-directory-user-accounts/

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x