4725 A user account was disabled
Written when a user account is disabled. Besides legitimate operations such as offboarding, it carries meaning in defense and disruption contexts too.
Overview
The subcategory is Audit User Account Management. It is generated when an account is switched to disabled. Paired with enabling 4722, it tracks the account’s state changes.
How it is triggered
- Disabling via
net user /active:no, account disabling in AD,Disable-ADAccount, and so on.
Security review points
- An attacker may disable an important account to disrupt a legitimate user’s access (an availability impact). Investigate disabling of administrator or operationally important accounts in particular.
- Conversely, an attacker may later disable an account they created or used to keep it inconspicuous (re-enabling it later with 4722). Read the history together with creation 4720 and deletion 4726.
Notes for log review
- It occurs daily during offboarding and transfers. Check that the target account and acting subject align with the operational flow (HR integration).
- Alerting narrowed to disabling of high-privilege or important accounts is effective.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The disabled account |
Subject\Account Name | The subject that performed the operation |