This article explains how to find the exact time when a user was disabled in Active Directory. While ADManager Plus provides identity management functions, this type of real-time log-based auditing is only supported in ADAudit Plus.

FAQ   

Q: How can I find the exact time a user was disabled in Active Directory?
A: This level of audit detail is not available in ADManager Plus, but is fully supported in ADAudit Plus through the Recently Disabled Users report.

Why it's not feasible in ADManager Plus:  

1. ADManager Plus is primarily designed for provisioning, deprovisioning, and reporting based on current Active Directory data.

2. It does not collect or retain historical security logs from domain controllers.

3. There is no built-in audit trail for actions performed outside of ADManager itself (e.g., direct changes via ADUC or PowerShell).

Why it's feasible in ADAudit Plus:  

1. ADAudit Plus collects and parses real-time security logs from all configured domain controllers.

2. It tracks all user management events, including who disabled the user, when, and from where.

3. Reports are timestamped and can be filtered, exported, or tied to alerts.

 Steps to generate the Recently Disabled Users report in ADAudit Plus:   

1. Log in to your ADAudit Plus console.

2. Navigate to Reports on the left panel.

3. Expand User Management.

4. Click Recently Disabled Users.

5. Use the filters at the top to set the date range or specify a username.

6. The report will display:

• Username

• Time of disablement

• Performed by (who disabled)

• Source machine (host or domain controller)

7. Click Export to download the report in PDF, CSV, or XLS format.