Powershell commands to get AD/entra user account disabled date (original) (raw)

is there any powershell commands for us to generate when a particular AD user was disabled ?

ahremes (ahremes) June 12, 2025, 7:15am 2

You can use powershell to check the account status:

Get-ADUser -Identity username -Properties whenChanged,Enabled | Select-Object Name,Enabled,whenChanged

whenChanged gives you the last time any attribute was modified which maybe when the account was disabled but this is not reliable.

It would be better to look in the event viewer and search for event id 4725 (a user account was disabled) by filtering the current log on the event id assuming this is a domain account. If its a non domain PC you will need to look in the security log but if auditing is not enabled it will not have been logged.

Neally (Neally) June 12, 2025, 5:42pm 3

No, AD does not track that. You can get info when it was last modified, but you’d have to query the event logs to get info on when it was disabled.

Evan7191 (Evan7191)

June 12, 2025, 9:34pm 4

You can use Get-ADReplicationAttributeMetadata to see when an attribute was last changed. That can tell you when an account was disabled/enabled.