ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event ID 4725 user account disabled audit events
Event ID 4725InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4725 – Microsoft-Windows-Security-Auditing: User Account Disabled

Event ID 4725 fires when a user account is disabled in Active Directory or on a local Windows system, providing audit trail for account management activities.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4725Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4725 represents a fundamental security audit event in Windows environments, triggered whenever user account disabling occurs. This event is generated by the Local Security Authority (LSA) subsystem and logged through the Microsoft-Windows-Security-Auditing provider. The event fires immediately when an administrator uses tools like Active Directory Users and Computers, PowerShell cmdlets, or command-line utilities to disable user accounts.

The event structure includes several critical data points: the subject fields identify who performed the action (including their SID, account name, and domain), while the target account fields specify which user account was disabled. Additional context includes the computer name where the action occurred and precise timestamps. In domain environments, this event typically appears on domain controllers, while in workgroup scenarios, it logs on the local system where the account exists.

From a security perspective, Event ID 4725 serves multiple purposes. It provides audit trails for compliance frameworks like SOX, HIPAA, and PCI-DSS that require tracking of privileged account activities. Security teams use these events to detect unauthorized account modifications, investigate insider threats, and maintain accountability for administrative actions. The event also supports automated security monitoring systems that can alert on suspicious account management patterns or unauthorized administrative activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually disabling user accounts through Active Directory Users and Computers
  • PowerShell scripts executing Disable-ADAccount or Set-ADUser -Enabled $false cmdlets
  • Command-line tools like net user or dsmod disabling accounts
  • Automated account lifecycle management systems disabling terminated employee accounts
  • Group Policy-based account management policies triggering account disabling
  • Security response procedures disabling compromised user accounts
  • Scheduled tasks or scripts performing bulk account management operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4725 details to understand what happened and who initiated the action.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the right pane
  4. Enter 4725 in the Event IDs field and click OK
  5. Double-click on a 4725 event to view details
  6. Review the Subject section to identify who disabled the account
  7. Check the Target Account section to see which account was disabled
  8. Note the timestamp and computer name for correlation with other events

The event details will show the Security ID, Account Name, and Account Domain for both the subject (who performed the action) and target (account that was disabled).

02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4725 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent account disabling events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific date range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract specific account information:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725} | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data[1].'#text'
        TargetUserName = $Event.Event.EventData.Data[5].'#text'
        TargetDomain = $Event.Event.EventData.Data[6].'#text'
    }
}
  5. Export results to CSV for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725} | Select-Object TimeCreated, Id, Message | Export-Csv -Path "C:\Temp\DisabledAccounts.csv" -NoTypeInformation
03

Investigate Account Status in Active Directory

Verify the current status of disabled accounts and correlate with the audit events.

  1. Open Active Directory Users and Computers from Administrative Tools
  2. Enable Advanced Features from the View menu
  3. Navigate to the organizational unit containing the disabled account
  4. Right-click the user account and select Properties
  5. Check the Account tab to confirm the account is disabled
  6. Review the Account Options section for additional restrictions
  7. Use PowerShell to query disabled accounts:
    Get-ADUser -Filter {Enabled -eq $false} -Properties Name, SamAccountName, WhenChanged, LastLogonDate | Select-Object Name, SamAccountName, Enabled, WhenChanged, LastLogonDate
  8. Cross-reference the WhenChanged timestamp with Event ID 4725 timestamps
  9. Check for related events around the same timeframe:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4724,4725,4726,4738)} -MaxEvents 100 | Where-Object {$_.Message -like "*username*"}
Pro tip: Use Get-ADUser -Identity username -Properties * to see all account attributes and their modification timestamps.
04

Configure Advanced Audit Monitoring

Set up comprehensive monitoring for account management events to catch future occurrences.

  1. Open Group Policy Management Console on a domain controller
  2. Navigate to Default Domain Controllers Policy or create a new GPO
  3. Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand Account Management and configure:
    • Audit User Account Management: Success and Failure
    • Audit Security Group Management: Success and Failure
  5. Apply the policy and run gpupdate /force on domain controllers
  6. Set up PowerShell monitoring script:
    # Create scheduled task to monitor account disabling
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorAccountDisabling.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "MonitorAccountDisabling" -Action $Action -Trigger $Trigger -Principal $Principal
  7. Create the monitoring script at C:\Scripts\MonitorAccountDisabling.ps1:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725; StartTime=(Get-Date).AddMinutes(-5)}
if ($Events) {
    $Events | ForEach-Object {
        $EventXML = [xml]$_.ToXml()
        $TargetUser = $EventXML.Event.EventData.Data[5].'#text'
        Write-EventLog -LogName Application -Source "Account Monitor" -EventId 1001 -Message "Account disabled: $TargetUser"
    }
}
05

Forensic Analysis and Correlation

Perform deep forensic analysis to understand the context and implications of account disabling events.

  1. Collect comprehensive event data using advanced PowerShell queries:
    # Gather related security events for forensic analysis
$StartDate = (Get-Date).AddDays(-30)
$SecurityEvents = @(4624,4625,4648,4672,4720,4722,4724,4725,4726,4738,4740,4767)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$SecurityEvents; StartTime=$StartDate} | Export-Clixml -Path "C:\Forensics\SecurityEvents.xml"
  2. Analyze logon patterns before account disabling:
    # Check last successful logons for disabled accounts
$DisabledEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725}
$DisabledEvents | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $TargetUser = $EventXML.Event.EventData.Data[5].'#text'
    $LastLogon = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -like "*$TargetUser*"} | Select-Object -First 1
    Write-Output "User: $TargetUser, Last Logon: $($LastLogon.TimeCreated)"
}
  3. Check for privilege escalation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)}
  4. Review system event logs for related activities:
    Get-WinEvent -FilterHashtable @{LogName='System'; Level=2,3; StartTime=(Get-Date).AddHours(-2)}
  5. Generate comprehensive forensic report:
    # Create detailed forensic timeline
$Report = @()
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4725; StartTime=(Get-Date).AddDays(-7)}
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $Report += [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        EventID = $_.Id
        Subject = $EventXML.Event.EventData.Data[1].'#text'
        TargetAccount = $EventXML.Event.EventData.Data[5].'#text'
        Computer = $_.MachineName
    }
}
$Report | Export-Csv -Path "C:\Forensics\AccountDisablingReport.csv" -NoTypeInformation
Warning: Forensic analysis should be performed on isolated systems to prevent evidence contamination. Always maintain chain of custody documentation.

Overview

Event ID 4725 is a security audit event that fires whenever a user account gets disabled on a Windows system or in Active Directory. This event is part of the account management audit category and provides critical visibility into administrative actions affecting user accounts. The event captures who disabled the account, when it happened, and which account was affected.

This event fires on domain controllers when AD user accounts are disabled, and on local systems when local user accounts are disabled. The event appears in the Security log and requires audit policy configuration to generate. By default, Windows Server 2025 and modern Windows clients have account management auditing enabled, but older systems may need manual configuration.

The event provides essential forensic information for compliance requirements, security investigations, and administrative oversight. Each 4725 event includes the security identifier (SID) of both the account that performed the action and the account that was disabled, along with timestamps and system information.

Frequently Asked Questions

What does Event ID 4725 mean and when does it occur?+
Event ID 4725 indicates that a user account has been disabled on a Windows system or in Active Directory. This security audit event fires immediately when an administrator or automated process disables a user account through any method - whether using Active Directory Users and Computers, PowerShell cmdlets like Disable-ADAccount, or command-line tools. The event captures who performed the action, which account was disabled, and when it occurred, providing essential audit trail information for security and compliance purposes.
How can I identify who disabled a user account using Event ID 4725?+
The Event ID 4725 details contain a 'Subject' section that identifies who disabled the account. This includes the Security ID (SID), Account Name, Account Domain, and Logon ID of the person or service that performed the action. You can view this information in Event Viewer by double-clicking the event, or extract it programmatically using PowerShell with Get-WinEvent and XML parsing. The subject information allows you to trace the action back to the specific administrator or service account responsible for disabling the user account.
Why am I not seeing Event ID 4725 in my Security log?+
Event ID 4725 requires proper audit policy configuration to generate. If you're not seeing these events, check that 'Audit User Account Management' is enabled for Success events in your audit policy. On domain controllers, this is typically configured through Group Policy under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. On standalone systems, use secpol.msc to configure local audit policies. Additionally, ensure the Security log has sufficient size and retention settings to capture these events.
Can Event ID 4725 help detect unauthorized account modifications?+
Yes, Event ID 4725 is crucial for detecting unauthorized account disabling activities. By monitoring these events, you can identify when accounts are disabled outside of normal business processes or by unauthorized users. Set up automated monitoring to alert on 4725 events occurring during off-hours, from unusual source accounts, or targeting high-privilege users. Correlate these events with other security events like 4672 (special privileges assigned) to detect potential privilege escalation followed by account tampering. Regular review of 4725 events helps maintain accountability and detect insider threats.
How do I correlate Event ID 4725 with other security events for investigation?+
Correlate Event ID 4725 with related security events using timestamps and account names. Key events to examine include: 4624 (successful logon) to see the last activity before disabling, 4625 (failed logon) to check for brute force attempts, 4672 (special privileges assigned) to identify privilege escalation, 4720 (account created) and 4726 (account deleted) for complete account lifecycle, and 4738 (account changed) for other modifications. Use PowerShell to query multiple event IDs simultaneously and filter by specific usernames or time ranges. This correlation helps build a complete timeline of account-related activities and identify suspicious patterns or unauthorized administrative actions.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4725 and related account management events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for account management monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4725#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...