As Edward pointed out to really get the authoritative data you want you would need to have historic audit logs. Another less reliable method that you can use is to look at the replication metadata for the UserAccountControl attribute. This is the attribute that gets updated when the account is disabled. The problem is that this attribute is a collection of flags so if anyone changed any of the other settings such as User cannot change password after disabling the account the data will not be accurate. There are many tools that will show you the metadata on an object such as repadmin /showobjmeta.
Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 9:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Then you are going to have to restore the logs from your server and sift through them from the last quarter. Good luck on that one.... You really need to invest in Eventlog Manager and Archival software for compliance issues, to really do what you want to do, the standard tools are not going to help you in this endeavor. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Wednesday, January 03, 2007 10:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Thanks for the quick response. I don't have logs for more than 2 days on the DCs. They get overwritten due to size. Is there any other way? In future I will have monitoring to detect the event and send me an email for future reference. But right now I need information from the last quarter. Thanks -Parag ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Auditing, You are looking for the following event ID. Event Type= Account Management Event ID 629 (User account disabled) Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, January 02, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabled user + when Team, Is there way to find when user account was disabled in AD? Our sox auditor would like to see the list of users that accounts were disabled in last quarter plus the date when they were disabled. They will match this information with HR database. We can't rely on whenmodified attribute because helpdesk team takes a day or two to complete rest of the termination process on that account after account is disabled. -Parag
