How to Check Who Disabled a User Account in Active Directory

Quick Summary: To check who disabled a user account in Active Directory, look for Event ID 4725 in the Security log on domain controllers, which records the account name of the person who performed the action. Enable Audit Account Management policy, open Event Viewer, filter for Event ID 4725, and examine the “Subject” field to identify the responsible user.

One of the most challenging tasks Administrators face on a daily basis is managing Active Directory user accounts. It is particularly important to monitor who and why changes are being made to ensure that they are valid.

What is Event ID 4725?:
Event ID 4725 is a Windows Security event that logs when a user account is disabled in Active Directory, recording who performed the action and when. This event generates on domain controllers and member servers whenever an account is disabled.

Why it’s Important to Track Disabled User Accounts in Active Directory

Active Directory configuration changes need to be carefully monitored so that users have access to all the resources they require. If a user’s account becomes disabled, they will not have access to essential system functions including email, files and SharePoint which will disrupt business operations.

Another reason to ensure that disabled users are tracked in Active Directory is to reduce the risk of a data breach. Disabled accounts represent a serious threat as they can be re-enabled and misused by attackers seeking access to Active Directory, Windows servers and other AD-integrated systems. Common attack scenarios include:

Insider threats: Malicious insiders may disable accounts to disrupt operations or re-enable dormant accounts for unauthorized access
Lateral movement: Attackers may use disabled or dormant accounts to move through the network undetected
Privilege escalation: Compromised disabled accounts with elevated privileges can be re-enabled to gain administrative access

Therefore, it is crucial to have visibility over who disabled a user account to establish the reason for doing this.

In this article, we will discuss the steps you need to take to detect who disabled a user account in Active Directory. We will first look at doing this using native auditing, followed by a more straightforward approach using the Lepide Auditor for Active Directory.

Find Who Disabled a User Account using Event Logs (Event ID 4725)

Prerequisites

Before starting, ensure you have:

Domain Admin privileges or equivalent permissions
Access to Group Policy Management Console (GPMC)
Event Viewer access on domain controllers
Appropriate permissions to modify auditing policies

Configuration Steps

Please follow the below steps:

Run gpmc.msc to open the Group Policy Management Console.
Create a new GPO and Edit it
Go to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies > Audit Policy:
Double click Audit Account Management Policy, Define, Success.
Click Apply and OK
Go to Event Log, Define:
- Maximum security log size to 4GB
- Retention method for security log to Overwrite events as needed.
Link the new GPO to the OU with User Accounts: Go to Group Policy Management, Right-click the defined OU, choose Link an Existing GPO, Choose the GPO that you’ve created.
Force the group policy update, In Group Policy Management, Right-click the defined OU, Click on Group Policy Update.
- Full Control
- List Contents
- Read all properties
- Read permissions, Click OK.
Open ADSI Edit, Connect to Default naming context, Right-click DomainDNS object with the name of your domain, Properties, Security (Tab), Advanced (Button), Auditing (Tab), Add Principal Everyone, Type Success, Applies to This object and Descendant objects, Permissions, Select all check boxes except the following:
Open Event viewer and search Security log for event ID’s 4725 (User Account Management task category).

Note: This event only generates on domain controllers and member servers.

Troubleshooting: Why Event ID 4725 Might Not Appear

Auditing not enabled: Verify the Audit Account Management policy is configured and applied
Log overwritten: Security logs may have been overwritten due to size limits; increase log size or archive logs
Wrong domain controller: Check the domain controller where the account change was processed, not just any DC
Replication delay: Allow time for Group Policy to replicate across domain controllers

How Lepide Auditor Helps

A quicker and more straightforward way to identify who has disabled a user is to use Lepide Auditor for Active Directory. Our Active Directory auditing software can provide you with in-depth visibility with real-time alerts that help you overcome the limitations of native auditing.

The following is an example of the User Status Modifications report, one of many pre-defined reports included the Lepide Auditor:

Disabled Users Report

The report includes information showing the User Name of the account which has been disabled together with Who has disabled it.

To run the report:

From the States & Behavior window, choose Active Directory Reports and select User Status Modifications
Specify a date range, select Disabled from the Status filter and click Generate Report

Native Auditing vs. Lepide Auditor

Feature	Native Auditing	Lepide Auditor
Setup Complexity	High – requires GPO configuration, ADSI Edit	Low – agent-based installation
Time Required	30+ minutes for initial setup	Minutes to generate reports
Information Provided	Raw event data requiring interpretation	Pre-formatted reports with clear details
Limitations	Log overwrites, multiple DC checks needed	Requires third-party software

Related Articles

In This Article

Why it's Important to Track Disabled User Accounts in Active Directory Find Who Disabled a User Account using Event Logs How to Lepide Auditor Helps Native Auditing vs. Lepide Auditor

Find Who Disabled a User Account in Active Directory with Lepide Auditor

Fill in the rest of the form to
download the 20-day free trial