IT Systems Engineering

Find account’s disable date and more in AD

First of all, please note that  there is no disabled time stamp attribute in AD.

Having said that, here are some tips to find when an account was disabled in Active directory:

You can use ADSIedit to look at an account’s properties. Scroll all the way down and look at the Attribute called “whenChanged”. This will tell you when the account was disabled.

The only relevant attributes AD records are :

  • whenCreated
  • \whenChanged
  • createTimeStamp
  • modifyTimeStamp.

Unfortunately, if any change has been made to the object since it was disabled, this will update whenChanged and modifyTimeStamp. The Attribute “whenChanged” is the more reliable one because it gets replicated to all DCs.

The only other option is to search the event logs. Look at the security logs and filter / search for event ID # 629. This will tell you when the user ID was disabled. It will also tell you who did it.

Here is an interesting KB article. This article contains descriptions of various security-related and auditing-related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of “Security.”

Another useful script:

How to find user accounts disabled between two dates:

The following script uses dsquery and finds all disabled users that were last modified between Jan 12, 2011, and March 1, 2011:

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged>=20110112000000.0Z)(whenChanged<=20110301000000.0Z))"

 

7 Comments

    • Jennifer

      You have to change the dates in the “WhenChanged” commands. The script was set to only show dates between Jan 12, 2011, and March 1, 2011. You have to change those to be 2015011200000.0z and 201512012000000.0z to get Jan 2015 to Dec. 2015

  • You are a big fuck head

    Are you fucking serious you filthy peasant?
    How does WhenChanged show the disabled date when any change I make changes the WhenChanged date?

    • Rajeev

      I take it someone woke up on the wrong side of the bed today, eh Mate?

      BTW, looks like you did not read the whole post. I have already mentioned in the post

      Unfortunately, if any change has been made to the object since it was disabled, this will update whenChanged and modifyTimeStamp.

  • James

    There is no attribute in AD for the date when the account was disabled. The best you can do is retrieve the whenChanged attribute. If no changes have been made to the object since it was disabled (which is likely), this will be the date you want.

Leave a Reply to You are a big fuck head Cancel reply

Your email address will not be published. Required fields are marked *

Prove that you are a human *