How to Detect Who Enabled a User Account in Active Directory
Why It is Important
If an account is enabled without reasonable cause, it may be a sign that an attacker is trying to gain access to the network. Constant monitoring of recently enabled accounts pinpoints who is trying to get unauthorized access to the system and helps to quickly remedy the issue.
Native Audit
- Run gpedit.msc → Create a new GPO → Edit it : Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies > Audit Policy:
- Audit account management → Define → Success.
- Go to Event Log → Define:
- Set the maximum security log size to 4 GB
- Set the retention method for the security log to "Overwrite events as needed".
Link the new GPO to OU with User Accounts: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the created GPO.
Force a Group Policy update: Go to "Group Policy Management" → Right-click the defined OU → Click "Group Policy Update".
Run adsiedit.msc → Connect to the Default naming context → Right-click the domain DNS object with the name of your domain → Click Properties → Select the Security (Tab) → Click Advanced (Button) → Select Auditing (Tab) → Add the principal "Everyone" → Type "Success" → Apply this to "This object and descendant objects" → Click Permissions → Select all check boxes except the following:
- Full control
- List contents
- Read all properties
- Read permissions → Click "OK".
- Open Event Viewer and search the security log for event ID 4722 (a user account was enabled).
https://img.netwrix.com/landings/new_how_to/27/native_event_4722.png
Credits
Originally posted - https://www.netwrix.com/how_to_detect_who_enabled_user_accounts_in_active_directory.html