The method below works well for Windows Server 2008 and later. If a user has been deleted from the Active Directory, they won’t be able to log into the systems using Windows Authentication. Setting up security logs with a history can help you identify who disabled a user account.
1) Configure Audit Settings
Run gpedit.msc → Create a new GPO → Edit it → Go to “Computer Configuration” → Policies → Windows Settings → Security Settings → Local Policies > Audit Policy:
Audit account management → Define → Success.
2) Configure Event Log Settings
Go to Event Log → Define:
Maximum security log size to 4GB
Retention method for security log to Overwrite events as needed.
3) Assign a Group Policy to an OU
Link the new GPO to OU with User Accounts → Go to “Group Policy Management” → Right-click the defined OU → Choose “Link an Existing GPO” → Choose the GPO that you’ve created.
Force the group policy update → In “Group Policy Management” → Right-click the defined OU → Click on “Group Policy Update”.
4) Configure ADSI Edit
Open ADSI Edit → Connect to Default naming context → Right-click DomainDNS object with the name of your domain → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and Descendant objects” → Permissions → Select all check boxes except the following:
Full Control
List Contents
Read all properties
Read permissions > Click “OK”.
5) Filter Event Viewer
Open Event viewer and search Security log for event ID’s 4725 (User Account Management task category).