Share via

Tracing down user and computer account deletion in Active Directory

  • Article

 

In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand.

The Account Management auditing needs to be enabled as follows:

  • At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing:

Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies

- Enable Success for “Audit Account Management”

  • Ensure that the GPO application is working on all DCs.

After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.

Note: The below steps need to be done before you restore the deleted object:

 

1. Dump the deleted objects in “Deleted objects” container.

- Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf

 

2. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.

=========================================================

Extract from the LDF file above showing the deleted user object (TestUser):

dn: CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local

changetype: add

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

distinguishedName:

CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008d

om,DC=local

instanceType: 4

whenCreated: 20100526065020.0Z

whenChanged: 20100526065039.0Z

uSNCreated: 448479

isDeleted: TRUE – This attribute is set to true when an object is deleted.

uSNChanged: 448492

name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==

userAccountControl: 512

objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==

sAMAccountName: TestUser

lastKnownParent: CN=Users,DC=2008dom,DC=local

=========================================================

 

3. Get the output of the following command on any DC.

- Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt

Eg:

Repadmin /Showmeta “ CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local ” > Delshowmeta.txt

 

4. While reviewing the output in Delshowmeta.txt, checkthe “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.

=========================================================

Output of Showmeta:

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectClass

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 cn

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 givenName

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 instanceType

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 whenCreated

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 displayName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 isDeleted

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 nTSecurityDescriptor

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 name

448488 SiteA\2008-DC2 448488 2010-05-26 12:20:20 4 userAccountControl

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 codePage

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 countryCode

448481 SiteA\2008-DC2 448481 2010-05-26 12:20:20 2 dBCSPwd

448480 SiteA\2008-DC2 448480 2010-05-26 12:20:20 1 logonHours

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 unicodePwd

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 ntPwdHistory

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 4 pwdLastSet

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 primaryGroupID

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 supplementalCredentials

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectSid

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 accountExpires

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 lmPwdHistory

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 sAMAccountName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 sAMAccountType

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 userPrincipalName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 lastKnownParent

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 objectCategory

=========================================================

5. With the above info, we need to just check the security event logs on the “Originating DSA” during “Org. Time/Date”. With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.

For computer account deletion:

· On Windows 2003, we should get Event ID: 647

· On Windows 2008, we should get Event ID: 4743

For User account deletion:

· On Windows 2003, we should get Event ID: 630

· On Windows 2008, we should get Event ID: 4726

=========================================================

Below is an example of an event confirming deletion and providing info about who deleted it.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/26/2010 12:20:39 PM

Event ID: 4726

Task Category: User Account Management

Level: Information

Keywords: Audit Success

User: N/A

Computer: 2008-dc2.2008dom.local

Description: A user account was deleted.

Subject:

Security ID: 2008DOM\Administrator

Account Name: Administrator

Account Domain: 2008DOM

Logon ID: 0x5fe2d

Target Account:

Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111

Account Name: TestUser

Account Domain: 2008DOM

=========================================================

Hope this helps…

- Abizer

Comments

  • Anonymous
    January 01, 2003
    @Heidi, It should you may want to make sure you have user management enabled as well as group management enabled

  • Anonymous
    January 01, 2003
    @Heidi, It should you may want to make sure you have user management enabled as well as group management enabled

  • Anonymous
    January 01, 2003
    Really an impressive blog post.
    Till now, I am using an automated solution named Lepide auditor suite (http://www.lepide.com/lepideauditor/active-directory.html) to audit such changes activities into active directory. But it would be a big help in coming future.

  • Anonymous
    May 07, 2013
    Great Post

  • Anonymous
    July 01, 2013
    Very useful information i appreciate your effort Abizer.

  • Anonymous
    October 23, 2013
    The comment has been removed

  • Anonymous
    March 05, 2014
    Can we get one particular computer/user object details. Since it will generate all the deleted object details and will tale time. Also, chance is there that the file will not open due to large size.

  • Anonymous
    May 05, 2014
    Does this work for removal from a group as well? I have a user that keeps getting removed from a group but "no one" did it.

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(17-180)!Online Latest 2014 Adobe Exam Dumps Free | Online Latest 2014 Adobe Exam Dumps Free

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)!Online Latest 2014 Adobe Exam Dumps Free | Online Latest 2014 Adobe Exam Dumps Free

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Latest 2014 Apple 9L0-010, 9L0-064, 9L0-314, 9L0-406, 9L0-412, 9L0-518 Exam Questions

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Offer Online 2014 Pass4sure Brocade Exam Dumps

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest CA Technologies Exam Dumps

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Certificate Exam

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest Pass4sure CWNP Exam Dumps

  • Anonymous
    May 27, 2014
    The comment has been removed

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Offer Online 2014 Pass4sure Hitachi Exam Dumps

  • Anonymous
    May 27, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 IBM C4040-122, C4040-123, C4040-124, C4040-224, C4040-225, C4090-450 Exam Questions

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free Download 2014 MCSA Exam Questions & Dumps with PDF&VCE

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 NetApp Exam Dumps & Practice Tests

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)!Free Download 2014 Oracle OCA, OCP, OCM Exam Questions & Dumps with PDF&VCE | Free Download 2014 Oracle OCA, OCP, OCM Exam Questions & Dumps with PDF&VCE

  • Anonymous
    May 28, 2014
    The comment has been removed

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest Pass4sure PMI Exam Dumps

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest Redhat RHCSA & RHCE Exam Dumps

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest Pass4sure & GreatExam SAP C_HANATEC131, C_HANAIMP131 Exam Questions and SAP Dumps

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Latest Pass4sure & Greatexam SAS Exam Dumps

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free 2014 Symantec Exam Dumps

  • Anonymous
    May 28, 2014
    Pingback from Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(171-180)! | Free and Latest VCP550 Exam Questions

  • Anonymous
    February 18, 2015
    Thanks a lot

  • Anonymous
    May 22, 2015
    Great Post
    Came very handy to troubleshoot quickly

  • Anonymous
    July 15, 2015
    Thanks for the great post. If you have AD Recycle Bin enabled, you can grab the 'Name' from there as well, just convert to a DN. If you want to skip the ldifde part.

  • Anonymous
    December 15, 2015
    Excellent! Me ajudou bastante, achei o artigo bem objetivo e rico em informações vitalmente necessárias para o entendimento do que acontece quando um objeto é deletado.