Source of computer accounts deletion.

Pavel Pavlenko 21 Reputation points
2023-01-11T08:31:16.9733333+00:00

Hello all,

We have some issue for quite long time now - computer accounts are being deleted accidently.

In event viewer of DC we can see the 4743 event and it tells us which user account deleted this computer account, but that still doesn't help us, because we can't find the source IP from where the deletion happened.

Is where some way, some kind of audit, we can set or maybe third part tool we can use to see not, only the user who deleted, but also to get an IP/computer name from where it happened?

BR,

PP

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,645 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. BOURBITA Thameur 12,241 Reputation points Microsoft MVP
    2023-02-03T23:31:25.63+00:00

    Hi @Pavel Pavlenko

    Unfortunately , the audit let you only know who delete the computer account. There is no event to identify the IP where the deletion happened.

    In the other hand , when you enable the audit of logon and logon you may be able to identify where the user was logon when the computer object was deleted.

    The majority of third part tool are based on windows audit (enabled through GPO )and security event on domain controllers.

    Please don't forget to mark helpful answer as accepted

    No comments

  2. Ken Burns 0 Reputation points
    2023-02-03T23:43:22.6866667+00:00

    To determine the user information and IP address of a user on the domain who is deleting accounts, you can use the following steps:

    1. Enable Audit Logging: Ensure that auditing is enabled in your domain, so that changes to user accounts are recorded in the audit logs.
    2. Check the Event Viewer: Review the Event Viewer logs on the domain controller for any events related to the deletion of user accounts. The logs should contain information about the user who performed the action, as well as the time and date of the action.
    3. Use Netwrix Auditor: Use a third-party tool, such as Netwrix Auditor, to monitor and audit changes to your domain. This tool can provide detailed information about who made changes to the accounts, what changes were made, and when the changes were made.
    4. Monitor Network Traffic: Monitor network traffic on your domain, including incoming and outgoing traffic, to determine the IP address of the user who is deleting accounts. You can use tools such as Wireshark or Microsoft Message Analyzer to monitor network traffic.
    5. Use Active Directory Auditing: Use Active Directory auditing to track changes to user accounts. This feature is built into Active Directory and can provide information about who made changes to the accounts and when the changes were made.

    These steps should help you determine the user information and IP address of a user who is deleting accounts on your domain. However, keep in mind that these steps may not be possible or effective in all situations, and the best solution may vary depending on your specific setup and security requirements.

    No comments

  3. Ken Burns 0 Reputation points
    2023-02-03T23:44:16.03+00:00

    To determine the user information and IP address of a user on the domain who is deleting accounts, you can use the following steps:

    1. Enable Audit Logging: Ensure that auditing is enabled in your domain, so that changes to user accounts are recorded in the audit logs.
    2. Check the Event Viewer: Review the Event Viewer logs on the domain controller for any events related to the deletion of user accounts. The logs should contain information about the user who performed the action, as well as the time and date of the action.
    3. Use Netwrix Auditor: Use a third-party tool, such as Netwrix Auditor, to monitor and audit changes to your domain. This tool can provide detailed information about who made changes to the accounts, what changes were made, and when the changes were made.
    4. Monitor Network Traffic: Monitor network traffic on your domain, including incoming and outgoing traffic, to determine the IP address of the user who is deleting accounts. You can use tools such as Wireshark or Microsoft Message Analyzer to monitor network traffic.
    5. Use Active Directory Auditing: Use Active Directory auditing to track changes to user accounts. This feature is built into Active Directory and can provide information about who made changes to the accounts and when the changes were made.

    These steps should help you determine the user information and IP address of a user who is deleting accounts on your domain. However, keep in mind that these steps may not be possible or effective in all situations, and the best solution may vary depending on your specific setup and security requirements.

    No comments