How to Track User and Computer Accounts Deletion in Active Directory
Authored by: Support.com Tech Pro Team
1. Introduction
How to Track User and Computer Accounts Deletion in Active Directory
2. Step 1: Use “ADSI Edit” to enable auditing
To track deleted user and computer accounts, you have to enable the auditing in Active Directory Service Interface (ADSI). Perform the following steps:
Type “ADSIEdit.MSC†in the “Run†box or in “Command Promptâ€. Press the “Enter†key and open its console.
Right-click the top most node in the left panel (“ADSI Editâ€).
Click “Connect to†to open the “Connection settings†window.
In the “Connection Settings†window, click “Select a well-known Naming Context†and select “Default Naming Context†in the drop-down menu.
Click “OKâ€. It establishes the connection with Default Naming Context and display its tree structure in the left panel.
Expand “Default Naming Context†to access the very first node titled “DC=www,DC=domain,DC=comâ€.
Right-click it and select “Properties†to access its properties.
Switch to “Security†tab.
To access “Advanced Security Settings†window click “Advancedâ€.
Switch to “Auditing†tab.
Here, add the auditing entry for the users whose actions you want to monitor. If the auditing entry is already added then you can skip this step.
Now, click “Add†to add an auditing entry if it does not exist already
Click “Select a Principal†to access the window to add the users, whose actions you want to audit.
If you want to audit the activities of every user and object in the network, type “Everyone†in the text box. Else you can type the username such as Administrator
Click “Check Names†to verify the name.
Click “OK†to add the entered user or object. It takes you back to the “Auditing Entry†window.
Select “Type†as “All†in its drop-down menu.
Select “Applies to†as “This object and all descendant objects†in its drop-down menu.
Select all permissions by clicking checkboxes except the following:
“Full Controlâ€
“List Contentâ€
“Read all propertiesâ€
“Read Permissionsâ€.
Now click “OK†to add the auditing entry. It takes you back to the “Advanced Security Settings†window, which now displays the auditing entry, “Everyone†with these permissions.
Click “Apply†and “OK†to close this window. It brings you back to “Security†tab of the object properties.
To close object properties, click “Apply†and “OKâ€.
Close the “ADSI Edit†window.
3. Step 2: View Events in Event Viewer to Check Deleted User Accounts and Computers in AD
Open the “Event Viewer†console and go to “Windows Logs†➔ “Securityâ€.
Search for the event ID 4726 (AD User/Account deleted event id) and event ID 4743 (Computer account deleted event id). These event IDs identify the user and computer account deletions.The following screenshots show the Event ID 4726 for user account deletion.
You can scroll down to view which user account was deleted.
Similarly, the following screenshot of Event ID 4743 shows a deleted computer account.
You can scroll down to view the computer object that was deleted.