How to Detect Who Deleted a User Account in Active Directory

Hello Guys

Hope you are doing well and enjoying all the posts.

Today we are going to explain how to trace who deleted the user in active directory. I am working in top IT company as active directory consultant and providing support to large AD infrastructure.

Yesterday we had received a request from global helpdesk about account deletion. Someone or tool deleted the userโ€™s secondary account from active directory.

In my organization, there are multiple support teams who work for userโ€™s creation/deletion. As per security compliance, many automation tools are configured in infrastructure to support day to day activities. There is one of tool called AIDED that is deleting the users after certain time of user inactivity.

We assumed, Might be userโ€™s secondary account deleted by AIDED process hence mail sent to concerned team to know who deleted this secondary account. Concerned team checked the logs in tool’s database but did not found any logs for this user. Now ball came to Active directory bin to find out who deleted this user.

Whenever we delete any objects in active directory, it will not delete permanently from active directory database as it will store in deleted object container.

We can find out the deletion date by showobjmeta command but before run this command we have DN {Distinguished Name} for deleted user. Without DN {Distinguished Name} we cannot run and get the deletion details.

  How to get the Distinguished Name for deleted object

Login to any of domain controller and open the PowerShell console and execute the below command to get the DN of deleted account.

Get-Adobject โ€“includeddeletedobjects โ€“filter {objectclass โ€“eq โ€œuserโ€ โ€“and isdeleted โ€“eq $true}

Deleted Objects details

We can see the deleted object in deleted container.

Distinguished Name

Copy the DN of deleted object that required to run the showobjmeta command to get the parson name who deleted the user.

Now open the PowerShell console and execute the below command to get the last modification details of deleted account.

repadmin /showobjmeta dc01.windowstechno.local “CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local”

All Attributes details

Now you can see the attributes modification details.Check the IsDeleted attribute which is related to account deletion.

Whenever any object is deleted from active directory, AD automatically assign the isdeleted attribute that is related to deleted object and we can find the deleted objects by this attribute.

You can also export these attribute into .txt file by adding this syntax > c:\metadata.txt as per below snapshot .

  • repadmin /showobjmeta dc01.windowstechno.local “CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local” > c:\metadata.txt

open the metadata.txt file to check the all attributes of this object.

ShowObjMeta output

See the isdeleted attribute modification date, this date show when its deleted from active directory.

Its not showing who deleted this object as it only show the deletion date. For that you have to check the security logs.

Meta logs

This log show you the deletion date and time as well in which domain controller deletion happened.

Just login to DC01 domain controller and open the event viewer to get the person details who deleted this object.

Click on security logs and filter the current log.

Filtering the current logs

you can also put the deletion event id instead of deletion date and time.

Security logs

The event log showing you the account name who deleted this account from active directory.

Guys please donโ€™t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!