RE: [NTSysADM] who and when an AD user account disabled

[Michael B. Smith]

You can look at WhenChanged on the object to see the last time it was changed.

Of course, if it has been enabled or otherwise touched, that will no longer be 
valid.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Webster
Sent: Thursday, February 20, 2014 12:58 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] who and when an AD user account disabled


​Their Security event log has already wrapped in the last 4 hours so I doubt I 
will be able to go back to December when they think the account was 
mysteriously disabled.





Webster

________________________________
From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
<listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>> on 
behalf of Christopher Bodnar 
<christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>>
Sent: Thursday, February 20, 2014 11:55 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] who and when an AD user account disabled

If auditing of that is enabled, not sure what the default is... .yes. Event ID 
4725 for user accounts in 2008.  On 2003 it was 629.


Christopher Bodnar
Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture 
and Engineering Services

Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
christopher_bod...@glic.com<mailto:>

[cid:image001.jpg@01CF2E3C.A45F7AF0]

The Guardian Life Insurance Company of America

www.guardianlife.com<http://www.guardianlife.com/>







From:        Webster <webs...@carlwebster.com<mailto:webs...@carlwebster.com>>
To:        "ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>" 
<ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>>
Date:        02/20/2014 12:46 PM
Subject:        [NTSysADM] who and when an AD user account disabled
Sent by:        
listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>
________________________________



Is it possible, using PoSH or another utility, to find out who disabled a 
user's account and when it happened?  All DCs are 2008 R2 and DFL/FFL are both 
2008 R2.

Thanks


Webster
​
________________________________
----------------------------------------- This message, and any attachments to 
it, may contain information that is privileged, confidential, and exempt from 
disclosure under applicable law. If the reader of this message is not the 
intended recipient, you are notified that any use, dissemination, distribution, 
copying, or communication of this message is strictly prohibited. If you have 
received this message in error, please notify the sender immediately by return 
e-mail and delete the message and any attachments. Thank you.

<<inline: image001.jpg>>