-
Title
How to tell the difference between user account enabled event during user creation and user account being re-enabled from a disabled state. -
Description
How to tell the difference between user enabled event during creation and user account enabled from disabled state.
-
Cause
As of ChangeAuditor 5.0\5.1.\5.5.\5.6 it is not possible without looking at the event stream around the time in question to determine if an account was enabled from the disabled state or created. This makes alerting on disabled accounts being enabled not work as expected.
-
Resolution
WORKAROUND
None.
STATUS
Issue fixed in version 5.7. The latest version of ChangeAuditor for Active Directory can be downloaded at
-
Defect ID
TF00149345 -
Additional Information
Added in 5.7 is a new "user account re-enabled" event to complement the existing "user account enabled". The former is disabled by default and generated only if the object has was created more than 10 seconds before.
The latter is enabled by default and is generated whenever the account is enabled.
"User account re-enabled" can be enabled from Administration area under Configuration | Audit Events.