If the effected user logs in to the domain it also deletes his user account on the AD...
User account getting deleted from on prem AD when any change is made to their properties
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 40%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Adrian Stowe
0
Reputation points
I have a user account in on prem AD that gets deleted when any changes are made to the account preferences such as adding or removing group membership etc. It's also getting randomly deleted periodically. All other accounts are fine. It's repeatable easily, a restore via Active Directory Administration Centre works but as soon as we repeat any changes the account gets deleted again.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
3 answers
Sort by: Most helpful
-
Adrian Stowe 0 Reputation points
2024-02-05T21:43:04.5933333+00:00 The audit logs are enabled and the problem isn't that anyone is deleting the account. It's being deleted as soon as any change is made to the properties. I'm the only person who has the access to delete accounts, clearly it's not me deleting the account. It's user specific, no other accounts are effected. I can modify properties on any other account, this user account is deleted when any change is made to group membership, either adding or deleting.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2024-02-02T01:46:56.04+00:00 Hello Adrian Stowe,
Thank you for posting in Q&A forum.
To detect who deleted a user account in Active Directory Step 1: Enable Group Policy Auditing Settings On one Domain Controller, run GPMC.msc → open “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings: Local Policies → Audit Policy → Audit account management → Define → Success After you configure the GPO setting, run gpupdate /force on this DC. Note: 1.If you have never configured any advanced audit policy before, then you can configure the legacy audit policy. 2.If you have configured any advanced audit policy before, then you need to configure the advanced audit policy. 3.Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default. Step 2: Configure Event Log Settings Computer Configuration → Policies → Windows Settings → Security Settings: Event Log → Define → Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed. Step 3: Open AD users and computers, find the parent object of this AD account you mentioned (such as OU or domain) → right click “OU or domain name” → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click “Add” → Choose the following settings: Principal: Everyone Type: Success Applies to: This object and all descendant objects Permissions: Delete all child objects → Click “OK”.
After the AD account is deleted next time, please check the event ID 4726 on DC. Then you may know who deleted this account via event ID 4726.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
f the Answer is helpful, please click "Accept Answer" and upvote it.
-
Adrian Stowe 0 Reputation points
2024-02-02T01:54:59.4533333+00:00 The audit logs are enabled and the problem isn't that anyone is deleting the account. It's being deleted as soon as any change is made to the properties. I'm the only person who has the access to delete accounts, clearly it's not me deleting the account. It's user specific, no other accounts are effected. I can modify properties on any other account, this user account is deleted when any change is made to group membership, either adding or deleting.
-
Adrian Stowe 0 Reputation points
2024-02-05T21:42:43.37+00:00 The audit logs are enabled and the problem isn't that anyone is deleting the account. It's being deleted as soon as any change is made to the properties. I'm the only person who has the access to delete accounts, clearly it's not me deleting the account. It's user specific, no other accounts are effected. I can modify properties on any other account, this user account is deleted when any change is made to group membership, either adding or deleting.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 15%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Muhammad Salman 0 Reputation points2026-04-03T13:48:31.5866667+00:00 @Adrian Stowe were you able to find any resolution for this issue?
Sign in to comment -