Difference between Disabled, Expired and Locked Account

Disabled accounts

If an organization has a provisioning process in place for governing (automatically) the enabling and disabling of account status and (or) there is a good frequency of guest / vendor engagement, this process is very effective. Owing to the uncertainty attached to such vendor engagement that has an uncertain expiry date, an automated process can’t be preset.

Also in a scenario where a vendor engagement needs to be controlled due to inactivity, the account can be disabled provisionally for security and can be re-enabled upon need.

A disabled account can be set at: Account -> Properties -> Account tab ->Account Options -> select checkbox “Account is disabled”

Locked accounts

An account can be locked automatically based on the organization’s Account Lockout Policy. Supposing such a process is not in place, the account could be compromised and proves fatal to the organizational data.

One must not trust the event logs wholly too. The logs are generated in large volumes and it is impossible to crack a potential breach from an account that does not conform to the Account Lockout Policy or to manually disable every single account for that matter.

The Account lockout threshold can be set at group policy: Computer Configuration -> Policies -> Windows Settings ->Security Settings -> Account Policy -> Account Lockout Policy.

Expired accounts

For organizations depending largely on contract-based assignments, this utility is a boon. The privilege of setting an account expiry time saves you the trouble of remembering and having to come back to it manually upon expiry. When the contract comes to an end, the account automatically expires thus providing no scope for security breaches. Also, if an account provisioning process is in place, this setting clearly adapts to suit it.

Expired account can be set at: Account -> Properties -> Account tab -> Account expires -> End of

Key difference after Status change:

All accounts behave similarly after the change except, the only difference being that of the locked accounts. Where, the account remains locked only for a specified duration and can be ‘automatically’ unlocked upon completion of the said duration. If duration is set to 0, it will never be ‘automatically’ unlocked.

Event ID in logon event.


531: Logon failure. A logon attempt was made using a disabled account.

532: Logon failure. A logon attempt was made using an expired account.

539: Logon failure. The account was locked out at the time the logon attempt was


The 2008 equivalent of ALL failed logon events is: “4625: An account failed to log on”

Failure reason: Same as above

Leave a Reply

Your email address will not be published. Required fields are marked *