AD disabled date

crib bar 266 Reputation points

Is there a user attribute anywhere in AD which captures the date and time an account was disabled? Or any other way of verifying such information.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,147 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,607 questions
{count} votes

5 answers

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 13,436 Reputation points MVP

    HI @crib bar

    This will give you a list of accounts that have not logged on since a specific date and are disabled:


    Get-ADUser -Filter {Enabled -eq $False} -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name  

    This will do the same thing, but let you choose the OU to search in:

    Get-ADUser -Filter {Enabled -eq $False} -SearchBase "OU=OUToSearch,DC=YourDomainName,DC=local" -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name  

    AD Users Disabled Date

    If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.

    2 people found this answer helpful.
    0 comments No comments

  2. Gary Reynolds 9,206 Reputation points

    Hi @crib bar and @Arnaud Cedric Mbouya

    Unfortunately there is no attribute that provides a 100% reliable method to get the date that a user was disabled. The AD account auditing option suggested above is the probably best option however, this must be enabled before the account is disabled and the events stored for future reference, in case the audit event log entries are overwritten. The whenchanged attribute records when the last changed was made to the account and as a result any subsequent changes to the account will also change this attribute, including a failed logon. The lastlogon date is exactly that, and the account may have been disabled sometime after the last time the user logged on.

    The closest you you can get to an attribute on the user object, is the AD replication meta data for the object. However, this also, is not 100% reliable as the useraccountcontrol attribute which is used to disabled the user, is also used to control a number of behaviours for the account, so this method makes the assumption that the last management operation completed on the account was to disable it.

    To view the meta data of an object you can use repadmin /showobjmeta or you can follow this article and use a GUI to display the details

    The time against the useraccountcontrol attribute is the last time the attribute was changed, which we assume is date the account was disabled.



    2 people found this answer helpful.
    0 comments No comments

  3. Fan Fan 15,261 Reputation points Microsoft Vendor


    You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
    Audit account management
    When a user account is renamed, disabled, or enabled , events will be logged.
    For user disabled operation, you can refer to:

    Best Regards,

    1 person found this answer helpful.
    0 comments No comments

  4. Arnaud Cedric Mbouya 1 Reputation point

    The attribute Whenchanged will give you the date that the last change have been done on accounts.

    Get-ADUser -Filter {(Enabled -eq $False)} -Properties Name,whenChanged | Select-Object Name, whenChanged | Export-csv C:\Userdisabled.csv -NoTypeInformation

  5. Arvind Sindhu 6 Reputation points

    @crib bar

    I think there is a simple solution to this requirement. You can search for AD Replication metadata. This will give correct value on when UAC value was last changed. You can use below PowerShell command to get this value, you can further use it to get fetch information for 1 account or multiple accounts from CSV or OU. Please update the values highlighted in bold per your Organisation AD setup.

    Get-ADuser sAMAccountName | Get-ADReplicationAttributeMetadata -Server PDC FQDN -Properties userAccountControl | select Object, LastOriginatingChangeTime, AttributeName, AttributeValue

    Hope this helps.