Find from where user is getting access to delete active directory objects

TechGeek 31 Reputation points
2020-11-29T13:33:21.877+00:00

Hi Team,

I am a newly joined System Administrator to a company and setting up the delegate control for L1 support admins to delete computers, I created a security group and gave delegate control only to that security group and added L1 support users to that security group, I have been doing this for many years now and I am sure I am doing it correctly.

While testing this with one of the L1 support engineer to my surprise, I found out he is having access to delete users also, I removed him immediately from the security group which I created, to be sure if it's not causing this, but even after removing him from the group I can see still the user is having access to delete computers and users, I checked the delegate control properties for permission and cannot see he is having permission separately and also confirmed if he is not part of any security group already where the previous admin would have delegated permission but cannot see anything as such, I am just confused from where he is getting this permission.

Can someone shed some light on this?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,516 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Abhijeet-MSFT 546 Reputation points Microsoft Employee
    2020-11-29T15:55:19.96+00:00

    A lot of methods have been described under the following article to get list of permissions assigned to user and how they are assigned : https://social.technet.microsoft.com/wiki/contents/articles/6477.active-directory-how-to-view-or-delete-delegated-permissions.aspx. The best would be dsacls and then Liza.

    0 comments No comments

  2. Vicky Wang 2,731 Reputation points
    2020-11-30T09:30:12.763+00:00

    User accounts in Active Directory (AD) enable employees to log in and gain access to a system. Sometimes, a negligent admin or an attacker might delete a user account, resulting in the employee losing access to their system and files. In such situations, there are ways to find out who performed the deletion.
    Perform the following actions on the Domain Controller (DC):

    Press Start, search for Windows PowerShell, right-click on it, and select Run as administrator.
    Type the following script into the console:
    Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4726} | Select-Object -Property *
    Press Enter.
    This script will display deleted user accounts. In the output, under Message > Subject, the Account Name and security ID of the user that performed the deletion on the target user can be seen.

    Note: If you are using a workstation, the following script should be run on PowerShell:

    Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4726} |
    Select-Object -Property *
    where is the name of the DC where you want to check if the deletion took place.

    reference:https://www.manageengine.com/products/active-directory-audit/how-to/how-to-find-who-deleted-user-account.html

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.