We recently came across the account of a former employee that had been disabled when the employee was terminated but was now mysteriously reenabled. How can we determine who reenabled the account and monitor for such occurrences in the future?
The answer to your question might lie in your domain controller (DC) Security event log. Look in the Security log of your Windows Server 2003 DCs for an event ID 626 (user account enabled) in which the description lists the enabled account in the Target Account Name field. The Caller User Name field in the description will identify the user who enabled the account. If you can't find such an event, you might not have Audit account management events enabled for Success in your DCs' security policy or the event has already been overwritten by new events.
Windows 2000 Server DCs don't correctly log event ID 626, so on these systems, you'll need to look for an instance of event ID 642 in which the description includes the phrase User Account Changed: Account Enabled.