Event ID 4725-A user account was disabled
Hello All,
Hope this post finds you in good health and spirit.
Event ID 4725-A user account was disabled
This event is generated when a user or computer object is disabled. This even us to find out Who Disabled a User Account in Active Directory.
On domain controllers, member servers, and workstations, this event is generated for user accounts.
This event only appears for computer accounts on domain controllers.
The name of the account that requested the “disable account” operation is provided in the Account Name [Type = UnicodeString] field.
Account Domain: The subject’s domain or computer name [Type = UnicodeString]. several formats, some of which are as follows:
Example of a domain name on NETBIOS: WindowsTechno
Full domain name in lowercase: windowstechno.local
Full domain name in capital letters: WINDOWSTECHNO.LOCAL
The value of this field is "NT AUTHORITY" for several well-known security concepts, such as LOCAL SERVICE or ANONYMOUS LOGON.
The name of the machine or device that this account belongs to will be included in this column for local user accounts, for instance: "Mohan.thakur."
Logon ID As an example, “4624: An account was successfully logged on” is a hexadecimal number that you can use to compare this event to more recent ones that could also have the same Logon ID.
Target Account:
Security ID [Type = SID]: SID for the disabled account. Automatically, Event Viewer tries to resolve SIDs and display the account name. You will see the source data in the event if the SID cannot be resolved.
Account Name [Type = UnicodeString]: This field contains the name of the disabled account.
Account Domain [Type = UnicodeString]: The domain or computer name of the target account. several formats, some of which are as follows:
Example of a domain name on NETBIOS: WINDOWSTECHNO
Full domain name in lowercase: windowstechno.local
Full domain name in capital letters: WINDOWSTECHNO.LOCAL
The name of the machine or device that this account belongs to will be included in this column for local user accounts, for instance: "Mohan.Thakur."
Recommendations for Security Monitoring
For 4725:- A user/computer account was disabled.
- Use the “Target AccountSecurity ID” that corresponds to the account to monitor all 4725 events if you have a high-value domain or local account that you need to keep track of every change for.
- You may monitor all 4725 events using the “Target AccountSecurity ID” that matches to any domain or local accounts that shouldn’t ever be disabled (such as service accounts).
- We advise keeping an eye on all 4725 events for local accounts because they often don’t change very often. Critical servers, administrative workstations, and other high-value assets are particularly affected by this.
So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!
Recommended contents
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Group Policy Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
What is Netlogon Folder in Active Directory
How to Create Custom Attributes in Active Directory
How Can I Check the Tombstone Lifetime of My Active Directory Forest
How to Determine a Computers AD Site From the Command Line
How to Check the Active Directory Database Integrity
How to Check the Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
What is Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
How to export replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.
