Active Directory

How to Detect Who Deleted a User Account in Active Directory

How to Detect Who Deleted a User Account in Active Directory

Today we are going to explain how to trace who deleted the user in active directory. I am working in top IT company as active directory consultant and providing support to large AD infrastructure.

Yesterday we had received a request from global helpdesk about account deletion. Someone or tool deleted the user’s secondary account from active directory.

In my organization, there are multiple support teams who work for user’s creation/deletion. As per security compliance, many automation tools are configured in infrastructure to support day to day activities. There is one of tool called AIDED that is deleting the users after certain time of user inactivity.

We assumed, Might be user’s secondary account deleted by AIDED process hence mail sent to concerned team to know who deleted this secondary account. Concerned team checked the logs in tool’s database but did not found any logs for this user. Now ball came to Active directory bin to find out who deleted this user.

Whenever we delete any objects in active directory, it will not delete permanently from active directory database as it will store in deleted object container.

We can find out the deletion date by showobjmeta command but before run this command we have DN {Distinguished Name} for deleted user. Without DN {Distinguished Name} we cannot run and get the deletion details.

  How to get the Distinguished Name for deleted object

Login to any of domain controller and open the PowerShell console and execute the below command to get the DN of deleted account.

Get-Adobject –includeddeletedobjects –filter {objectclass –eq “user” –and isdeleted –eq $true}

Deleted Objects details

We can see the deleted object in deleted container.

Distinguished Name

Copy the DN of deleted object that required to run the showobjmeta command to get the parson name who deleted the user.

Now open the PowerShell console and execute the below command to get the last modification details of deleted account.

repadmin /showobjmeta dc01.windowstechno.local “CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local”

All Attributes details

Now you can see the attributes modification details.Check the IsDeleted attribute which is related to account deletion.

Whenever any object is deleted from active directory, AD automatically assign the isdeleted attribute that is related to deleted object and we can find the deleted objects by this attribute.

You can also export these attribute into .txt file by adding this syntax > c:\metadata.txt as per below snapshot .

  • repadmin /showobjmeta dc01.windowstechno.local “CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local” > c:\metadata.txt

open the metadata.txt file to check the all attributes of this object.

ShowObjMeta output

See the isdeleted attribute modification date, this date show when its deleted from active directory.

Its not showing who deleted this object as it only show the deletion date. For that you have to check the security logs.

Meta logs

This log show you the deletion date and time as well in which domain controller deletion happened.

Just login to DC01 domain controller and open the event viewer to get the person details who deleted this object.

Click on security logs and filter the current log.

Filtering the current logs

you can also put the deletion event id instead of deletion date and time.

Security logs

The event log showing you the account name who deleted this account from active directory.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

Netlogon Folder in Active Directory

Custom Attributes in Active Directory

Tombstone Lifetime of My Active Directory Forest

Computers AD Site From the Command Line

Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

Replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno
Back to top button