Disabled accounts getting re-enabled
My requiremnet is to monitor/alert when a disabled account gets re-enabled. It's Windows 2008 AD in our environment . This is what I did.......
When an account gets disabled its gets added to an Active list. Idea is to crosscheck this Active list when an account gets re-enabled and send an alert.
But Windows 2008 generates Event ID 4725 when an account is re-enabled ( A user account was changed). Same event is generated when any attribute of a user account is modified . So I'm not able to use this event ID 4725 in my filter condition to compare with disabled Activelist.
Any idea of how this can be dealt?
Re: Disabled accounts getting re-enabled
I'm currently working on the same type of alert. My rule is being tested but i dont think its working properly.
I've noticed that Account Enabled events dont have the user id. I'm trying to correlate the event with an account changed event. I think the SID of the source account should link the two events: 1)Account Enabled and 2)Account Changed.
Its still a work in progress and will post when I have more information.