Event-o-Pedia EventID 23 - Computer account disabled.

	Event Details
	User Activity->Object Access->Active Directory Object Access->Change Auditor for Active Directory->Computer Object Changes->EventID 23 - Computer account disabled.

EventID 23 - Computer account disabled.

Linked Event:

EventID 23 - AD object property was successfully modified.

Sample:

Event Type:     Information
Event Source:   ITAD Directory Changes
Event Category: None
Event ID:       23
Date:           10/29/2009
Time:           07:00:44
User:           RESEARCH\CBrown
Computer:       DC1
Description:    
AD object property was successfully modified.

	Client Computer : 10.0.0.1

	Object DN : cn=Daniel Krane,CN=Users,DC=research,DC=corp

	Object Class : user

	Object GUID : {9DD9B58F-9548-4EE8-A852-7911C763BF7B}

	Attribute Name : userAccountControl

	Property Name : Account is disabled

	Old Value : <not set>

	New Value : Unchecked

	Request ID : {17880F2C-D275-4251-B5D1-0F13C28448EA}

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

InTrust for AD

Filtering Field	Equals to Value
Source	ITAD Directory Changes
EventId	23
InsertionString2	computer
InsertionString4	userAccountControl
InsertionString5	Account is disabled
InsertionString7	Checked
Expression	String6 != String7

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	1/1/2000
Who	Account or user name under which the activity occured.	User	SomeUser
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Computer Account Disabled"	Computer Account Disabled
Where	The name of the workstation/server where the activity was logged.	Computer	10.10.10.10
Where From	The name of the workstation/server where the activity was initiated from.	Client Computer	10.0.0.2
Severity	Specify the seriousness of the event.	"Medium"	Medium
WhoDomain		-
WhereDomain		-
Result	Successful or Failed	"Successful"	Successful
Object Name		Object DN	cn=Daniel Krane,CN=Users,DC=research,DC=corp
Object Type		Object Class	user
Whom		InsertionString1	cn=Daniel Krane,CN=Users,DC=research,DC=corp
Property Name	LDAP DisplayName of the AD object property	Property	Account is disabled
Value Before	Property value before the change	Old Value	<not set>
Value After	Property value after the change	New Value	Unchecked
Whom	Target computer	-