image
Dave Herrell
Dave Herrell - Blog - IT Toolbox - PowerShell Banner
Active Directory, Azure, Entra ID (Azure AD), PowerShell Basics, Users

PowerShell Basics: Find Who Disabled AD Account

If you’ve ever worked as an Active Directory admin, you’ve probably asked yourself: “Who the heck disabled that account?”

It’s a question that comes up often in IT environments. While Windows Security logs technically hold the answer, digging through them manually is tedious and error-prone. That’s why I put together a simple PowerShell script that makes the process quick and easy.

 

The Script

This script searches your domain controller’s Security event log for user account disable events (Event ID 4725) and shows you exactly who disabled the account and when.

				
					$UserToCheck = 'usersname'   # samAccountName of the account to check
$LookBackDays = 30           # how far back you want to search
$DC = 'DC-1'                 # target domain controller

$start = (Get-Date).AddDays(-$LookBackDays)

Get-WinEvent -ComputerName $DC -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4725
    StartTime = $start
} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $data = @{}
    foreach ($d in $xml.Event.EventData.Data) { $data[$d.Name] = $d.'#text' }

    if ($data['TargetUserName'] -ieq $UserToCheck) {
        [PSCustomObject]@{
            TimeCreated       = $_.TimeCreated
            DisabledUser      = $data['TargetUserName']
            DisabledBy        = $data['SubjectUserName']
            DisabledByDomain  = $data['SubjectDomainName']
            DisabledBySID     = $data['SubjectUserSid']
            CallerLogonId     = $data['SubjectLogonId']
            DC                = $_.MachineName
        }
    }
} | Sort-Object TimeCreated -Descending | Format-Table -Auto

What the Script Does

  • Searches the Security event log on the domain controller you specify.

  • Look for Event ID 4725 (account disabled).

  • Filters results for the user you want to check.

  • Displays a clean table with:

    • The time the account was disabled

    • The user account that was disabled

    • The account that performed the action

    • The domain, SID, and logon ID of the caller

    • The domain controller where the event was logged

 

Example Output

When you run the script, you’ll get output like this:

				
					PS C:\Windows\system32>

TimeCreated           DisabledUser DisabledBy DisabledByDomain DisabledBySID                                 CallerLogonI
                                                                                                             d           
-----------           ------------ ---------- ---------------- -------------                                 ------------
8/16/2025 12:29:00 AM test.user dave        ODC              S-1-5-21-3154358779-447090094-3595144392-1473 0x77ce0538
Wrapping Up

That’s all there is to it! With this script, you no longer have to manually dig through endless Windows logs. Just run it, see who disabled the user, and have a productive conversation with them if needed.

Hopefully, this saves you some time and frustration the next time that question comes up.

 

Hope you find this helpful!