Share via

Query on EventLogs

Glenn Maxwell 13,761 Reputation points
2026-06-12T06:24:15.6566667+00:00

Hi All,

I have a few user accounts that have been disabled in Active Directory. As part of an audit, I have been asked to provide evidence that these users did not access any systems after their AD accounts were disabled.

Could you please advise on the best way to verify this using Active Directory logs? Specifically, which event logs or event IDs should be reviewed to determine whether a disabled account successfully authenticated or attempted to authenticate after it was disabled?

Any guidance or best practices would be greatly appreciated.

Windows for business | Windows Server | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 35,770 Reputation points Independent Advisor
    2026-06-12T07:07:32.9433333+00:00

    Hi Glenn Maxwell,

    To verify that disabled Active Directory accounts have not accessed any systems, you must first establish an audit baseline by querying the Domain Controller Security logs for Event ID 4725, which records the exact timestamp the account was disabled.

    To prove no access occurred after this point, you must demonstrate a total absence of Event ID 4624 (successful logon) for those users past that baseline date.

    To further strengthen your audit with definitive proof of rejected access, search for Event ID 4625 (failed logon) containing the specific sub-status code 0xC0000072, which explicitly indicates the system blocked the logon because the account is disabled. Additionally, monitor network-level Kerberos traffic for Event ID 4771 with failure code 0x12, confirming that the Domain Controller rejected pre-authentication requests due to a revoked or disabled client status.

    Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VPHAN

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-12T06:24:32.6933333+00:00

    For this type of audit, the focus should be on Windows security auditing on domain controllers and relevant member servers, using the standard and advanced audit policy categories for logon and account management.

    1. Ensure appropriate audit policy is enabled

    Configure Windows Audit Policy (preferably via Group Policy) so that domain controllers and key servers log:

    • Account Logon Events (and advanced subcategories under it)
    • Logon Events
    • Account Management → User Account Management

    These categories/subcategories record:

    • Authentication of domain accounts on domain controllers
    • Interactive/network/service logons on member servers and workstations
    • User account changes such as disable/enable

    Audit policy can be configured via Group Policy under:

    • Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
    • Or advanced subcategories under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy

    Auditpol.exe can also be used, for example:

    auditpol /set /subcategory:"user account management" /success:enable /failure:enable
    1. Identify when each account was disabled

    Use the User Account Management audit events on domain controllers to find the exact timestamp when each user account was disabled. These events are generated when a user account is disabled or enabled.

    1. Review logon-related events after the disable time

    After the disable timestamp for each account, review:

    • Account Logon Events on domain controllers
      • These report validation of credentials for domain accounts. They show when a domain controller processed a logon attempt (success or failure) for the disabled account.
    • Logon Events on member servers/workstations
      • These show actual logon sessions (interactive, network, RDP, service, etc.) using the account.

    Look for any events where:

    • The account name matches the disabled user, and
    • The event time is later than the disable time.

    If audit policy is configured to log both Success and Failure, the logs will show:

    • Successful authentications (which should not occur after disable)
    • Failed logon attempts (evidence of attempted use of the disabled account)
    1. Correlate results for audit evidence

    For each disabled account:

    1. Capture the User Account Management event that shows the account was disabled (with timestamp and administrator account that performed the action).
    2. Query Account Logon and Logon events on domain controllers and key servers for that user name after the disable timestamp.
    3. Document that no successful logons exist after the disable time, and list any failed attempts if present.
    4. Best practices
    • Ensure that only a small, controlled set of administrators can modify user accounts, especially privileged and VIP accounts, and that their actions are audited.
    • Monitor privileged and VIP accounts and changes to key attributes such as userAccountControl (which includes the disabled flag).
    • Use a SIEM to collect and correlate security logs from all domain controllers and critical servers, and to alert on:
      • Logon attempts with disabled accounts
      • Changes to privileged accounts and groups

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.