This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
How can I check if the certain AD user account is still in use or not?
I am in the process of auditing and validating thousands of users across all of these groups:
Domain Admins
Enterprise Admins
Schema Admins
Administrators
Account Operators
DnsAdmins
Backup Operators
Server Management
Server Operators
Organization Management
Exchange Organization Administrators
Enterprise Key Admins
Key Admins
Before I remove or delete the AD account, I wanted to check if there is any other indicator, aside from lastlogondate or lastLogon which sometimes is blank for some unknown reason.
Any event ID or auditing policy in GPO to enable would be greatly appreciated.
Thank you in advance.
Hi @Thameur-BOURBITA , does enabling the audit logon will increase the logs on the server locally or this will be recorded in each AD domain controller?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
You can enable audit through GPO to trace logon and logoff activities.
I invite you to read the following link for more details:
Audit Success and Failed Logon Attempts in Active Directory
Please don't forget to mark helpful answer as accepted
The majority of events will be recorded in the domain controller where the domain user will be authenticated and other event locally in computer.
Check GPO settings under Advanced Audit Policy Configuration, you will find many audit option with explanation:
Advanced Audit Policy Configuration
Please don't forget to mark helpful answer as accepted