4725 : A user account was disabled

Generates each time a computer or a user object is disabled
For user accounts, event is stored on domain controllers, member servers or workstations
For computer accounts, event is stored on domain controllers only

4725	A user account was disabled
Category	User Account Management
Event Type	Success
Provider	Microsoft-Windows-Security-Auditing
Channel	Security
Criticity	Low
Volumetry	Low
Reference	https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4725

Monitoring Recommendations :

Monitor for potential suspicious activities, abuse of privileges.
Monitor if you have domain accounts or local accounts that should never been disabled or for which you need to monitor every change
If you have critical assets, servers or workstation, monitor local accounts (SAM accounts)

Get event details with PowerShell :

PS C:\Users\Administrator> (Get-WinEvent -ListProvider Microsoft-Windows-Security-Auditing).Events | ? {$_.Id -eq '4725'}

Exemples of 4725 events

*Exemple of disabled computer account* *event*

*Exemple of disabled user account* *event*

Retreive and export in CSV all Events ID 4725 for the current domain

Powershell script to retreive in a CSV file all logged Events ID 4725 for the current domain.

# Audit 4725 Events (a user account was disabled) & export events information to CSV table
# EventID_4725_UserAccountWasDisabled.ps1
# wiki.l0ran.xyz
# August 17th, 2024

# $Xpath24h = '*[System[(EventID=4725) and TimeCreated[timediff(@SystemTime) <= 86400000]]]'
$filterxpath = '*[System[EventID=4725]]'

# CSV Output folder
$CSVOutputFolder = 'C:\tmp'

# CSV Outfile
$CSVOutFile = "$CSVOutputFolder\EventID_4725_UserAccountWasDisabled.csv"

$dom = @()
$DCList = @()
$dom = (Get-ADDomainController).domain
$DCList = (Get-ADDomainController -filter * -server $dom).hostname

function get-4725
{param
  ( [Object]
    [Parameter(Mandatory=$true, ValueFromPipeline=$true, HelpMessage="Data to process")]
    $Event
 )
  process
  {$eventXml_4725 = ([xml]$Event.ToXml()).Event
    [PSCustomObject]@{
      Date = [DateTime]$eventXml_4725.System.TimeCreated.SystemTime
      RecordID = $eventXml_4725.System.EventRecordID
      Computer = $eventXml_4725.System.Computer
      Provider = $eventXml_4725.System.Provider.Name
      Level = $eventXml_4725.System.Level
      EventID = $eventXml_4725.System.EventID
      Keywords = $eventXml_4725.System.Keywords
      TargetUserName = $eventXml_4725.EventData.data[0].'#text'
      TargetDomainName = $eventXml_4725.EventData.data[1].'#text'
      TargetSid = $eventXml_4725.EventData.data[2].'#text' 
      SubjectUserSid = $eventXml_4725.EventData.data[3].'#text'
      SubjectUserName = $eventXml_4725.EventData.data[4].'#text'
      SubjectDomainName = $eventXml_4725.EventData.data[5].'#text'
      SubjectLogonId = $eventXml_4725.EventData.data[6].'#text'}}
} # End function get-4725

foreach ($DC in $DCList)
{write-host "Working on $DC" -ForegroundColor Cyan
  Get-WinEvent -Logname security -ComputerName $DC -FilterXPath $filterxpath -ea 0 | 
  get-4725 |
 Export-Csv -Delimiter ';' -path $CSVOutFile -NoTypeInformation -Append}