Is there a user attribute anywhere in AD which captures the date and time an account was disabled? Or any other way of verifying such information.
AD disabled date
To follow-up, Please let us know if you have further query on this.
Please don’t forget to Accept the answer
To follow-up, Please let us know if you have further query on this.
Please don’t forget to Accept the answer
This will give you a list of accounts that have not logged on since a specific date and are disabled:
Get-ADUser -Filter {Enabled -eq $False} -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name
This will do the same thing, but let you choose the OU to search in:
Get-ADUser -Filter {Enabled -eq $False} -SearchBase "OU=OUToSearch,DC=YourDomainName,DC=local" -Properties name,sAMAccountName,lastLogonDate | Where-Object {$_.lastLogonDate -le [DateTime]::Now.AddDays(-180)} | Select name,sAMAccountName,lastLogonDate | Sort-Object name
If the Answer is helpful, please click Accept Answer and up-vote, this can be beneficial to other community members.
Hi,
You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.
Audit account management
When a user account is renamed, disabled, or enabled , events will be logged.
For user disabled operation, you can refer to:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
Best Regards,
The attribute Whenchanged will give you the date that the last change have been done on accounts.
Get-ADUser -Filter {(Enabled -eq $False)} -Properties Name,whenChanged | Select-Object Name, whenChanged | Export-csv C:\Userdisabled.csv -NoTypeInformation
Hi @cribbar-4571 and @ArnaudCedricMbouya-0021
Unfortunately there is no attribute that provides a 100% reliable method to get the date that a user was disabled. The AD account auditing option suggested above is the probably best option however, this must be enabled before the account is disabled and the events stored for future reference, in case the audit event log entries are overwritten. The whenchanged attribute records when the last changed was made to the account and as a result any subsequent changes to the account will also change this attribute, including a failed logon. The lastlogon date is exactly that, and the account may have been disabled sometime after the last time the user logged on.
The closest you you can get to an attribute on the user object, is the AD replication meta data for the object. However, this also, is not 100% reliable as the useraccountcontrol attribute which is used to disabled the user, is also used to control a number of behaviours for the account, so this method makes the assumption that the last management operation completed on the account was to disable it.
To view the meta data of an object you can use repadmin /showobjmeta or you can follow this article and use a GUI to display the details https://nettools.net/how-to-display-the-meta-data-of-an-ad-object/
The time against the useraccountcontrol attribute is the last time the attribute was changed, which we assume is date the account was disabled.
Gary.
9 people are following this question.
