Tuesday, April 3, 2012

Identifying Disabled Users

Great question came up today in Varonis training. How can we identify when a user account was disabled and who performed the operation? For those of you running Varonis' DA for Directory Services module the answer can be gathered from the Directory Services log. The key items to select are the user account that you want to investigate and select select the Change Description filter with the operation Like and using the text field:

Property "User Account Control" modified: 514

This is a good candidate to set up as a monthly report to audit all of the user accounts that were disabled during the last month; something that will keep the auditors happy. If you would like the XML for the template please email me and I will send it to you.