Determine when a Windows XP user account has been disabled

[Guest]

Hi all,

I have the following question regarding Windows XP:

Is it possible to determine the date (and evtl. time) when a user account
has been disabled/locked?

The account is a local user account and the machine is not part of a domain.
It is Windows XP Pro with SP2 and the latest hotfixes applied and the
auditing of "account modification" is disabled (as it is by default in
Windows). Only logon/logoff is being audited.

Is there any way to get this information?

Thanks for every help or suggestion.
Frank

 

[Guest]

How about with scripting? The script below is a WMI script that should do
the trick. Just cut the script below, and past into into notepad. Save the
file as something like: expiredate.vbs

Then double-click on the file to run it.

' // Begin Script - Cut from line below

On Error Resume Next

Set objAccounts = GetObject("WinNT://.")
objAccounts.Filter = Array("User")

For Each objUser In objAccounts
If IsNull(objUser.AccountExpirationDate) Then
Wscript.Echo objUser.Name, "Account has no

expiration date."
Else
Wscript.Echo objUser.Name,

objUser.AccountExpirationDate
End If
Next

' // End Script - Cut to line above


Vinson

 

[Steven L Umbach]

I would start by looking in the security log via Event Viewer as many events
are located there with informational detail that will help. If you have not
done so yet enable logging of account management events so that more details
will be shown. Most likely auditing of account logon or logon events are
already enabled. You can mange that in Local Security Policy - secpol.msc.
Free tools such as Event Comb from Microsoft can make it easier to parse the
logs. The command net user username will also show helpful detail about a
local user account. such as last logon time.

Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/516.mspx?mfr=true

 

[Guest]

Thank you for the information, but as the audition was not enabled, the event
log does not show any details of the account modofication (i.e. the
disabling).

That is why I asked if there are any other possibilities...

 

[Steven L Umbach]

You still should see logon failure events recorded for account lockouts if
that would help and most likely auditing of logon events was enabled by
default. See if you can find any Event ID 539 logon events.

Steve

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 10/30/2007
Time: 9:17:44 PM
User: NT AUTHORITY\SYSTEM
Computer: STEVE-XP
Description:
Logon Failure:
Reason: Account locked out
User Name: darth
Domain: STEVE-XP
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: STEVE-XP

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Guest]

Thns Steven again for your reply.

Yes, I get these logon failure events, but with them I only can narrow down
the timespan to a month and a half, but preferably I'd like to know the
(nearly) exact date/time when a distinct user account has been set to
"disabled" by another user.

Background is, that on the PC there are a bunch of local users and one user
with Admin privileges did interactively disable the accounts of some other
users by using the management console. But the other users log on so rarely,
that this only brings me as close as the 1.5 months (using the logon
failures).
This is why I ask, if there was another possibility to get the time when the
"bad user" disabled the other users accounts, so I can blame him/her for
that...

 

[Steven L Umbach]

OK. In that case, particularly for local accounts, I believe about the only
way to do that is to enable logging of account management but I know you
already stated in your case that was not done. Sorry I can not think of
anything else.

Steve