How to tell the difference between user enabled event during creation and user account enabled from disabled state.
As of ChangeAuditor 5.0\5.1.\5.5.\5.6 it is not possible without looking at the event stream around the time in question to determine if an account was enabled from the disabled state or created. This makes alerting on disabled accounts being enabled not work as expected.
Issue fixed in version 5.7. The latest version of ChangeAuditor for Active Directory can be downloaded at
Added in 5.7 is a new "user account re-enabled" event to complement the existing "user account enabled". The former is disabled by default and generated only if the object has was created more than 10 seconds before.
The latter is enabled by default and is generated whenever the account is enabled.
"User account re-enabled" can be enabled from Administration area under Configuration | Audit Events.