How to Detect Who Enabled a User Account in Active Directory

Native Auditing vs. Netwrix Auditor for Active Directory
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it : Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit account management → Define → Success.
  2. Go to Event Log → Define:
    • Set the maximum security log size to 4 GB
    • Set the retention method for the security log to "Overwrite events as needed".
  3. Link the new GPO to OU with User Accounts: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the created GPO.
  4. Force a Group Policy update: Go to "Group Policy Management" → Right-click the defined OU → Click "Group Policy Update".
  5. Run adsiedit.msc → Connect to the Default naming context → Right-click the domain DNS object with the name of your domain → Click Properties → Select the Security (Tab) → Click Advanced (Button) → Select Auditing (Tab) → Add the principal "Everyone" → Type "Success" → Apply this to "This object and descendant objects" → Click Permissions → Select all check boxes except the following:
    • Full control
    • List contents
    • Read all properties
    • Read permissions → Click "OK".
  6. Open Event Viewer and search the security log for event ID 4722 (a user account was enabled).
Sample Report - How to Detect Who Enabled a User Account in Active Directory
  1. Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
    • Filter = “Data source”
      Operator = “Equals”
      Value = “Active Directory”
    • Filter = “Details”
      Operator = “Contains”
      Value = “User Account Enabled”
  2. Click the “Search” button and review who enabled which user accounts in your Active Directory.
Netwrix Auditor report on who enabled user account in Active Directory

 

In order to create an alert triggered each time whenever someone enables a user account:

  1. From the search results, navigate to “Tools” → Click “Create alert” → Specify the new alert’s name.
  2. Switch to the “Recipients” tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click “Add” to save the alert.
Learn more about Netwrix Auditor for Active Directory

Secure Your Infrastructure by Identifying the Recently Enabled Accounts

If an account is enabled without reasonable cause, it may be a sign that an attacker is trying to gain access to the network. Constant monitoring of recently enabled accounts pinpoints who is trying to get unauthorized access to the system and helps to quickly remedy the issue.

Related How-tos
How to Monitor User Logоns in a Domain How to Detect Who Created a User Account in Active Directory How to Export Members of a Particular AD Group How to Restore Active Directory Users How to Export Group Policy Settings in Minutes How to Export a Computer List from Active Directory