I have always looked for event id 629 in the security eventlog on each domain controller. Microsoft has a knowledge base article that lists security events and their codes, http://support.microsoft.com/default.aspx?scid=kb;en-us;174074. Of course you must be auditing account management for the event to show up in your logs.
-----Original Message-----
From: Burns, Clyde [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Determining when a user account was disabled.
Im trying to generate a report of disabled accounts that were disabled X number of days ago.
Getting a report of which accounts are disabled was fairly straightforward* but I cannot find anything that will tell me when the account WAS disabled. I was wondering if anyone could tell me if such information is stored in AD or how to approximate the date. Right now Im thinking of pulling the last logon times from the domain controllers to ballpark the amount of time the accounts could have been disabled but thats a stopgap at best.
Any tips or pointers would be greatly appreciated.
Clyde Burns
* VB6 code to generate report
Set rootDSE = GetObject("LDAP://RootDSE")
Set Ou = GetObject("LDAP://" & "CN=Users," & _
rootDSE.Get("defaultNamingContext"))
Ou.Filter = Array("user")
For Each Child In Ou
Debug.Print _
Chr(34) & Child.sAMAccountName & Chr(34) & Chr(44) & _
Chr(34) & Child.DisplayName & Chr(34) & Chr(44) & _
Chr(34) & Child.accountdisabled & Chr(34)
Next
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
