Windows Events

Event ID 4725-A user account was disabled

Hello All,

Hope this post finds you in good health and spirit.

Event ID 4725-A user account was disabled

This event is generated when a user or computer object is disabled. This even us to find out Who Disabled a User Account in Active Directory.

On domain controllers, member servers, and workstations, this event is generated for user accounts.
This event only appears for computer accounts on domain controllers.

The name of the account that requested the “disable account” operation is provided in the Account Name [Type = UnicodeString] field.

Account Domain: The subject’s domain or computer name [Type = UnicodeString]. several formats, some of which are as follows:

Example of a domain name on NETBIOS: WindowsTechno

Full domain name in lowercase: windowstechno.local

Full domain name in capital letters: WINDOWSTECHNO.LOCAL

The value of this field is "NT AUTHORITY" for several well-known security concepts, such as LOCAL SERVICE or ANONYMOUS LOGON.

The name of the machine or device that this account belongs to will be included in this column for local user accounts, for instance: "Mohan.thakur."

Logon ID As an example, “4624: An account was successfully logged on” is a hexadecimal number that you can use to compare this event to more recent ones that could also have the same Logon ID.

Target Account:

Security ID [Type = SID]: SID for the disabled account. Automatically, Event Viewer tries to resolve SIDs and display the account name. You will see the source data in the event if the SID cannot be resolved.

Account Name [Type = UnicodeString]: This field contains the name of the disabled account.

Account Domain [Type = UnicodeString]: The domain or computer name of the target account. several formats, some of which are as follows:

Example of a domain name on NETBIOS: WINDOWSTECHNO

Full domain name in lowercase: windowstechno.local

Full domain name in capital letters: WINDOWSTECHNO.LOCAL

The name of the machine or device that this account belongs to will be included in this column for local user accounts, for instance: "Mohan.Thakur."

Recommendations for Security Monitoring

For 4725:- A user/computer account was disabled.

  • Use the “Target AccountSecurity ID” that corresponds to the account to monitor all 4725 events if you have a high-value domain or local account that you need to keep track of every change for.
  • You may monitor all 4725 events using the “Target AccountSecurity ID” that matches to any domain or local accounts that shouldn’t ever be disabled (such as service accounts).
  • We advise keeping an eye on all 4725 events for local accounts because they often don’t change very often. Critical servers, administrative workstations, and other high-value assets are particularly affected by this.

So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!

Recommended contents

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Group Policy Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

What is Netlogon Folder in Active Directory

How to Create Custom Attributes in Active Directory

How Can I Check the Tombstone Lifetime of My Active Directory Forest

How to Determine a Computers AD Site From the Command Line

How to Check the Active Directory Database Integrity

How to Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button