{"id":197,"date":"2012-05-01T14:18:53","date_gmt":"2012-05-01T18:18:53","guid":{"rendered":"http:\/\/rajdude.com\/blog\/?p=197"},"modified":"2017-03-07T10:23:21","modified_gmt":"2017-03-07T15:23:21","slug":"find-accounts-disable-date-and-more-in-ad","status":"publish","type":"post","link":"https:\/\/rajdude.com\/blog\/find-accounts-disable-date-and-more-in-ad\/","title":{"rendered":"Find account&#8217;s disable date and more in AD"},"content":{"rendered":"<p>First of all, please note that\u00a0 there is no disabled time stamp attribute in AD.<\/p>\n<p>Having said that, here are some tips to find when an account was disabled in Active directory:<\/p>\n<p>You can use ADSIedit to look at an account&#8217;s properties. Scroll all the way down and look at the\u00a0Attribute called &#8220;whenChanged&#8221;. This will tell you when the account was disabled.<\/p>\n<p><!--more--><\/p>\n<p>The only relevant attributes AD records are :<\/p>\n<ul>\n<li>whenCreated<\/li>\n<li>\\whenChanged<\/li>\n<li>createTimeStamp<\/li>\n<li>modifyTimeStamp.<\/li>\n<\/ul>\n<p>Unfortunately, if any change has been made to the object since it was disabled, this will update whenChanged and modifyTimeStamp. The Attribute &#8220;whenChanged&#8221; is the more reliable one because it gets replicated to all DCs.<\/p>\n<p>The only other option is to search the event logs. Look at the security logs and filter \/ search for event ID # 629. This will tell you when the user ID was disabled. It will also tell you who did it.<\/p>\n<p>Here is an interesting <a href=\"http:\/\/support.microsoft.com\/kb\/174074\" target=\"_blank\">KB article<\/a>. This article contains descriptions of various security-related and auditing-related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of &#8220;Security.&#8221;<\/p>\n<p>Another\u00a0useful script:<\/p>\n<p>How to find user accounts disabled between two dates:<\/p>\n<p>The following script uses dsquery and finds all disabled users that were last modified between Jan 12, 2011, and March 1, 2011:<\/p>\n<pre>dsquery * -filter \"(&amp;(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenChanged&gt;=20110112000000.0Z)(whenChanged&lt;=20110301000000.0Z))\"<\/pre>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>First of all, please note that\u00a0 there is no disabled time stamp attribute in AD. Having said that, here are some tips to find when an account was disabled in Active directory: You can use ADSIedit to look at an account&#8217;s properties. Scroll all the way down and look at the\u00a0Attribute called &#8220;whenChanged&#8221;. This will tell you when the account was disabled.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[33,29],"class_list":["post-197","post","type-post","status-publish","format-standard","hentry","category-itsys","tag-active-directory","tag-system-administration"],"_links":{"self":[{"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/posts\/197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/comments?post=197"}],"version-history":[{"count":4,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/posts\/197\/revisions"}],"predecessor-version":[{"id":199,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/posts\/197\/revisions\/199"}],"wp:attachment":[{"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/media?parent=197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/categories?post=197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rajdude.com\/blog\/wp-json\/wp\/v2\/tags?post=197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}