How to Detect Who Enabled a User Account in Active Directory


Native Auditing vs. Netwrix Auditor for Active Directory

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it : Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit account management → Define → Success.
  2. Go to Event Log → Define:
    • Set the maximum security log size to 4 GB
    • Set the retention method for the security log to "Overwrite events as needed".
  3. Link the new GPO to OU with User Accounts: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the created GPO.
  4. Force a Group Policy update: Go to "Group Policy Management" → Right-click the defined OU → Click "Group Policy Update".
  5. Run adsiedit.msc → Connect to the Default naming context → Right-click the domain DNS object with the name of your domain → Click Properties → Select the Security (Tab) → Click Advanced (Button) → Select Auditing (Tab) → Add the principal "Everyone" → Type "Success" → Apply this to "This object and descendant objects" → Click Permissions → Select all check boxes except the following:
    • Full control
    • List contents
    • Read all properties
    • Read permissions → Click "OK".
  6. Open Event Viewer and search the security log for event ID 4722 (a user account was enabled).

  1. Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
     
    • Filter = “Data source”
      Operator = “Equals”
      Value = “Active Directory”
    • Filter = “Details”
      Operator = “Contains”
      Value = “User Account Enabled”
  2. Click the “Search” button and review who enabled which user accounts in your Active Directory.

Netwrix Auditor report on who enabled user account in Active Directory

In order to create an alert triggered each time whenever someone enables a user account:

  1. From the search results, navigate to “Tools” → Click “Create alert” → Specify the new alert’s name.
  2. Switch to the “Recipients” tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
  3. Click “Add” to save the alert.

Secure Your Infrastructure by Identifying the Recently Enabled Accounts

If an account is enabled without reasonable cause, it may be a sign that an attacker is trying to gain access to the network. Constant monitoring of recently enabled accounts pinpoints who is trying to get unauthorized access to the system and helps to quickly remedy the issue.