1 Reply Latest reply on Oct 7, 2016 2:22 PM by curtisi

    Rule for User Enabled from Disabled


      Greetings - I am interested in creating a rule that will fire when a previously disabled user becomes enabled. I would want to exclude a newly enabled user resultant of a new account having just been created and, I know it is a stretch, but I would also want to exclude UserEnabled when the account had been locked out then resolved; I'm thinking that counts as UserEnabled, too, but I could be wrong. Perhaps to put it in simpler terms, I'm only interested in accounts that were manually disabled and subsequently re-enabled. Doable?

        • Re: Rule for User Enabled from Disabled

          The problem I see is this: when an account is enabled, there's nothing in the logs that indicates the reason it was disabled.  In an account disable event, there is a distinction (lockouts vs. administratively disabled), but unless the disable and the enable happen fairly quickly (within minutes) the LEM's correlation engine isn't going to be a resource friendly way to achieve this.


          One thing that might work for you would be:


          1. Create a "DeadUsers" security group and move administratively disabled accounts to that group
          2. Add that group to LEM and use it for a rule correlation, such that "if an account from DeadUsers is enabled, let me know"


          The problem then would be if a sneaky admin takes an account out of that group before enabling it, but you could alert off changes to that group (DeleteGroupMember) as well.