By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Track User and Computer Accounts Deletion in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track User and Computer Accounts Deletion in Active Directory

 

2. Step 1: Use “ADSI Edit” to enable auditing

To track deleted user and computer accounts, you have to enable the auditing in Active Directory Service Interface (ADSI). Perform the following steps:

  1. Type “ADSIEdit.MSC” in the “Run” box or in “Command Prompt”. Press the “Enter” key and open its console.
  2. Right-click the top most node in the left panel (“ADSI Edit”).
  1. Click “Connect to” to open the “Connection settings” window.
  2. In the “Connection Settings” window, click “Select a well-known Naming Context” and select “Default Naming Context” in the drop-down menu.
  1. Click “OK”. It establishes the connection with Default Naming Context and display its tree structure in the left panel.
  2. Expand “Default Naming Context” to access the very first node titled “DC=www,DC=domain,DC=com”.
  3. Right-click it and select “Properties” to access its properties.
  4. Switch to “Security” tab.
  1. To access “Advanced Security Settings” window click “Advanced”.
  2. Switch to “Auditing” tab.
  1. Here, add the auditing entry for the users whose actions you want to monitor. If the auditing entry is already added then you can skip this step.
  2. Now, click “Add” to add an auditing entry if it does not exist already
  1. Click “Select a Principal” to access the window to add the users, whose actions you want to audit.
  1. If you want to audit the activities of every user and object in the network, type “Everyone” in the text box. Else you can type the username such as Administrator
  2. Click “Check Names” to verify the name.
  3. Click “OK” to add the entered user or object. It takes you back to the “Auditing Entry” window.
  4. Select “Type” as “All” in its drop-down menu.
  5. Select “Applies to” as “This object and all descendant objects” in its drop-down menu.
  6. Select all permissions by clicking checkboxes except the following:
  7. “Full Control”
  8. “List Content”
  9. “Read all properties”
  10. “Read Permissions”.
  11. Now click “OK” to add the auditing entry. It takes you back to the “Advanced Security Settings” window, which now displays the auditing entry, “Everyone” with these permissions.
  1. Click “Apply” and “OK” to close this window. It brings you back to “Security” tab of the object properties.
  2. To close object properties, click “Apply” and “OK”.
  3. Close the “ADSI Edit” window.

3. Step 2: View Events in Event Viewer to Check Deleted User Accounts and Computers in AD

  1. Open the “Event Viewer” console and go to “Windows Logs” ➔ “Security”.
  2. Search for the event ID 4726 (AD User/Account deleted event id) and event ID 4743 (Computer account deleted event id). These event IDs identify the user and computer account deletions.The following screenshots show the Event ID 4726 for user account deletion.
  1. You can scroll down to view which user account was deleted.
  1. Similarly, the following screenshot of Event ID 4743 shows a deleted computer account.
  1. You can scroll down to view the computer object that was deleted.

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE