Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who enabled a user account in Active Directory

Start your free trial

A disabled user account could be enabled and misused by malicious agents. This is why it's essential for IT administrators to audit their AD environment in real time using Active Directory native auditing or third-party tools. This can help them identify the user that enabled the user account. Below are the steps to find who enabled a user account in Active Directory:

Steps to find who enabled a user account using PowerShell

Perform the following actions on the domain controller (DC):

  1. Click Start, search for WindowsPowerShell, right-click it, and select Run as administrator.
  2. Type the following script into the console: Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4722} | Select-Object -Property *
Steps to find who enabled a user account using PowerShell
  1. Press Enter.
  2. This script will display enabled user accounts. In the output, under Message → Subject → Account Name, the name and security ID of the user that enabled the target user account can be found.

Note: If you're using a workstation, the following script should be run on PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4722} | Select-Object -Property *

where <DC name> is the name of the domain controller where you want to check the details of the user account that was enabled.

Steps to find who enabled a user account using PowerShell

Through native auditing, you can search for events and keep an eye on changes made to user objects. However, this becomes impractical when you have to deal with hundreds of user accounts and need to keep track of each event as it occurs.

ADAudit Plus is real-time Active Directory auditing software that helps gain visibility into the changes made to AD objects and their attributes. Monitor each phase in the life cycle of a user account along with details on who initiated it, from where, and when.

Easily identify who enabled user accounts in just a few clicks using ADAudit Plus

  1. Open the ADAudit Plus console, and log in as an administrator.
  2. Navigate to Reports → Active Directory → User Management → Recently Enabled Users.
1
 

Find who enabled a user account in Active Directory, when, and from where.

2
 

Other reports on recently created, deleted, moved, and locked out user accounts help you gain more insight into your AD user accounts.

Find who enabled a user account in Active Directory using ADAudit Plus

Find who enabled a user account in Active Directory, when, and from where.
Other reports on recently created, deleted, moved, and locked out user accounts help you gain more insight into your AD user accounts.

Advantages of using ADAudit Plus over native auditing

  • Monitor and report on each phase in the life cycle of AD objects, and cover all bases in your AD environment.
  • Detect anomalous behavior among users with the user behavior analytics (UBA) engine. For example, an unusually high volume of user management activity, logon failures, or failed file access attempts could indicate risks.
  • Identify the reason behind account lockouts and troubleshoot them faster with the Account Lockout Analyzer.
 

ADAudit Plus Trusted By