I need to create a widget to monitor when an active directory user account is disabled. Any suggestions?
Monitor the security logs on your domain controller for the corresponding event. Create an alert without reset condition for the event occurrence. Create a widget that displays this alert
Thanks, I have the monitor created but I've never created a widget from a monitor I created. I'll give it a shot.
The widget for the monitor will most likely just show the event when it happens briefly. That’s why I would go for an alert
Any chance you have a link to creating a widget based on an alert? I am not seeing how to do this. I can make on for nodes, applications, reports; but do not see anything on active alerts. Thanks for any help you have.
Okay, so, I created the monitor to grab event 4725 from the DC's. Then I added a custom query widget that displays the time it was disabled, the user that was disabled, and the user account that actually disabled it. That query is in another post called "Disabled Users Query".
You can monitor disabled AD accounts by enabling auditing in Group Policy to capture Event ID 4725 (User Account Disabled) in the Security logs. Then, use a tool like Splunk, Elastic Stack, or Microsoft Sentinel to collect these logs and display them on a dashboard. Alternatively, you can use PowerShell with Search-ADAccount -AccountDisabled -UsersOnly to query for disabled accounts and display results in a custom widget using tools like Power BI or Grafana. For simplicity, third-party tools like Erome ManageEngine ADAudit Plus or SolarWinds Access Rights Manager offer pre-built monitoring widgets.
