There is no single, specific event ID for disabling an account in Windows. The event ID associated with disabling an account depends on the method used to disable it.
Here are some scenarios and their corresponding event IDs:
- Disabling an account through the
Local Security Policy: The event ID for this action will be4720**, which signifies a "User Account Management" event. - Disabling an account through the
Active Directory Users and Computers (ADUC): The event ID for this action will be4720** as well. - Disabling an account using the
net usercommand: This action will also generate a4720event ID.
It's important to note that the event ID 4720 indicates a change in user account management, which encompasses various actions, including disabling, enabling, and password changes.
To identify the specific action associated with the event ID, you need to review the Event Details within the Event Viewer.
This information will provide details about the account that was modified, the user who performed the action, and the specific change that was made.
