AD disabled date

Question

Is there a user attribute anywhere in AD which captures the date and time an account was disabled? Or any other way of verifying such information.

Answer 1

HI @crib bar

This will give you a list of accounts that have not logged on since a specific date and are disabled:

Powershell

Get-ADUser -Filter {Enabled -eq $False} -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name  

This will do the same thing, but let you choose the OU to search in:

Get-ADUser -Filter {Enabled -eq $False} -SearchBase "OU=OUToSearch,DC=YourDomainName,DC=local" -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name  

AD Users Disabled Date

If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.

Answer 2

Hi @crib bar and @Arnaud Cedric Mbouya

Unfortunately there is no attribute that provides a 100% reliable method to get the date that a user was disabled. The AD account auditing option suggested above is the probably best option however, this must be enabled before the account is disabled and the events stored for future reference, in case the audit event log entries are overwritten. The whenchanged attribute records when the last changed was made to the account and as a result any subsequent changes to the account will also change this attribute, including a failed logon. The lastlogon date is exactly that, and the account may have been disabled sometime after the last time the user logged on.

The closest you you can get to an attribute on the user object, is the AD replication meta data for the object. However, this also, is not 100% reliable as the useraccountcontrol attribute which is used to disabled the user, is also used to control a number of behaviours for the account, so this method makes the assumption that the last management operation completed on the account was to disable it.

To view the meta data of an object you can use repadmin /showobjmeta or you can follow this article and use a GUI to display the details https://nettools.net/how-to-display-the-meta-data-of-an-ad-object/

The time against the useraccountcontrol attribute is the last time the attribute was changed, which we assume is date the account was disabled.

Gary.

Answer 3

Hi,

You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
Audit account management
When a user account is renamed, disabled, or enabled , events will be logged.
For user disabled operation, you can refer to:
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725

Best Regards,

Answer 4

The attribute Whenchanged will give you the date that the last change have been done on accounts.

Get-ADUser -Filter {(Enabled -eq $False)} -Properties Name,whenChanged | Select-Object Name, whenChanged | Export-csv C:\Userdisabled.csv -NoTypeInformation

Answer 5

@crib bar

I think there is a simple solution to this requirement. You can search for AD Replication metadata. This will give correct value on when UAC value was last changed. You can use below PowerShell command to get this value, you can further use it to get fetch information for 1 account or multiple accounts from CSV or OU. Please update the values highlighted in bold per your Organisation AD setup.

Get-ADuser sAMAccountName | Get-ADReplicationAttributeMetadata -Server PDC FQDN -Properties userAccountControl | select Object, LastOriginatingChangeTime, AttributeName, AttributeValue

Hope this helps.