Windows Server

How to detect who disabled a user in Active Directory – Best Monitoring Tools and Software

This method is a pretty straight forward approach when using a third party Software to monitor Active directory. Some monitoring tools and software are as follows. These tools help in mitigating challenges when it comes to managing and monitoring AD.

  • Data Protection Manager from Microsoft
  • Microsoft System Center Management Pack for ADDS
  • Spiceworks
  • Netwrix
  • SolarWinds Server and Application Manager
  • ManageEngine ADManager Plus
  • ManageEngine ADAudit Plus
  • Lepide Active Directory Auditor
  • Netwrix Auditor for AD
  • Quest Active Administrator
  • Varonis
  • FirstWare AD-Inspector
  • Quest Active Administrator
  • PRTG Active Directory Monitor

Above are some tools and there are many others that are capable of monitoring the Active Directory environment. To determine who has disabled a user using built-in Active Directory tools, follow the steps below.

– Launch the Group Policy Management tool

– Create a new GPO

Name the GPO whatever you desire as shown below

Now and edit the newly created GPO as shown below

This will be open the “Group Policy Management Editor”
– Go to “Computer Configuration”
– Click on Policies
– Windows Settings
– Security Settings
– Local Policies and
– Audit Policy: Here on the “Audit account management”
– Define these policy settings to “Success”

The result will be as shown below

Next, navigate to Event Log and define the policy settings as shown below.
– Maximum security log size to 4194304 KB

– Retention method for security log to Overwrite events as needed.

Next, link the new GPO to the OU with User Accounts that you want to audit
– Go to “Group Policy Management”
– Right-click the defined OU
– Choose “Link an Existing GPO”

– Choose the GPO that you’ve created.

In this way, the GPO will be link to the OU as shown below

Next, update the group policy on the Employee OU. Here are the steps to do this below

On the Group Policy Management prompt as shown below,
– Click on OK

Fire up the ADSI Edit Tool

This will open the ADSI Tool and
– Click on connect to

– Connect to Default naming context

– Right-click DomainDNS object with the name of your domain “Mine here is TechDirectArchive”

– Click on Properties and then
– Switch to the Security tab
– Click on Advanced

This will open the “Advanced Security Settings for your domain “TechDirectArchive”
– Navigate to the Auditing tab

– Add Principal “Everyone”

– Click on Success “Success”
– Applies to “This object and Descendant objects”
– Permissions: Select all checkboxes except the following not checked in the image below

The screenshoot below is the result of the permissions assigned to everyone

And click on “ok” to close the security properties windows

To test, open the “Event Viewer”

– Navigate to the Windows log
– Security
– Click on “Filter Current Log”

– Search Security log for event ID’s 4725 (User Account Management task category)

This will display the number of disabled users in the Event log as performed in this article

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x