This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Rule for User Enabled from Disabled

Greetings - I am interested in creating a rule that will fire when a previously disabled user becomes enabled. I would want to exclude a newly enabled user resultant of a new account having just been created and, I know it is a stretch, but I would also want to exclude UserEnabled when the account had been locked out then resolved; I'm thinking that counts as UserEnabled, too, but I could be wrong. Perhaps to put it in simpler terms, I'm only interested in accounts that were manually disabled and subsequently re-enabled. Doable?

  • The problem I see is this: when an account is enabled, there's nothing in the logs that indicates the reason it was disabled.  In an account disable event, there is a distinction (lockouts vs. administratively disabled), but unless the disable and the enable happen fairly quickly (within minutes) the LEM's correlation engine isn't going to be a resource friendly way to achieve this.

    One thing that might work for you would be:

    1. Create a "DeadUsers" security group and move administratively disabled accounts to that group
    2. Add that group to LEM and use it for a rule correlation, such that "if an account from DeadUsers is enabled, let me know"

    The problem then would be if a sneaky admin takes an account out of that group before enabling it, but you could alert off changes to that group (DeleteGroupMember) as well.