Windows Security Log Event ID 629

629: User Account Disabled

On this page

• Description of this event
• Field level details
• Examples

Windows logs this event for both user accounts and computer accounts.  Computer account names are recognizable by the $ at the end of the name.  This event will be accompanied by an event 642 (if a user account) or 646 (if a computer account).

Despite MS documentation, this event does not get logged by W2k but W3 does log this event correctly. However W2k does log event ID 642 and identifies the type of change. See example below: W3 also logs 642 along with this event but the format of 642 is different compared to W2k. See 642 for W3.   Note Windows 2000 does not log event ID 629 explicitly. Results are logged as a part of event ID 642 in the description of the message. Windows Server 2003 DOES logs this event.

Event ID 642: 

User Account Changed:
  Account Disabled. 
  Target Account Name: Bill
  Target Domain: MS0
  Target Account ID: S-1-5-21-1234561642-8123456618-725345543-1008
  Caller User Name: Administrator
  Caller Domain: ACME
  Caller Logon ID: (0x0,0xD44E)
  Privileges: -
 

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 629

• Target Account Name: %1
• Target Domain: %2
• Target Account ID: %3
• Caller User Name: %4
• Caller Domain: %5
• Caller Logon ID: %6

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

Mini-Seminars Covering Event ID 629 Building a Security Dashboard for Your Senior Executives

 

Upcoming Webinars Securing Every Identity in the Hybrid Era: Building a Unified Strategy Across Cloud, On-Prem, and AI “3 Persistent Privileged Access Methods in Active Directory: How Attackers Stick the Landing with AdminSdHolder, SIDHistory, DCShadow”

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy