How to detect who deleted a user account in Active Directory

Today we are going to explain how to trace who deleted the user in active directory. I am working in top IT company as active directory consultant and providing support to large AD infrastructure.

Yesterday we had received a request from global helpdesk about account deletion. Someone or tool deleted the user’s secondary account from active directory.

In my organization, there are multiple support teams who work for user’s creation/deletion. As per security compliance, many automation tools are configured in infrastructure to support day to day activities. There is one of tool called AIDED that is deleting the users after certain time of user inactivity.

We assumed, Might be user’s secondary account deleted by AIDED process hence mail sent to concerned team to know who deleted this secondary account. Concerned team checked the logs in tool’s database but did not found any logs for this user. Now ball came to Active directory bin to find out who deleted this user.

Whenever we delete any objects in active directory, it will not delete permanently from active directory database as it will store in deleted object container.

We can find out the deletion date by showobjmeta command but before run this command we have DN {Distinguished Name} for deleted user. Without DN {Distinguished Name} we cannot run and get the deletion details.

How to get the Distinguished Name for deleted object

Login to any of domain controller and open the PowerShell console and execute the below command to get the DN of deleted account.

Get-Adobject –includeddeletedobjects –filter {objectclass –eq “user” –and isdeleted –eq $true}

We can see the deleted object in deleted container.

Copy the DN of deleted object that required to run the showobjmeta command to get the parson name who deleted the user.

Now open the PowerShell console and execute the below command to get the last modification details of deleted account.

repadmin /showobjmeta dc01.windowstechno.local "CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local"

Now you can see the attributes modification details.Check the IsDeleted attribute which is related to account deletion.

Whenever any object is deleted from active directory, AD automatically assign the isdeleted attribute that is related to deleted object and we can find the deleted objects by this attribute.

You can also export these attribute into .txt file by adding this syntax > c:\metadata.txt as per below snapshot .

repadmin /showobjmeta dc01.windowstechno.local "CN=Oladapo Hunponu-Wusu\0ADEL:9867e32e-d486-48c2-84da-6633a5f29736,CN=Deleted Objects,DC=Windowstechno,DC=local" > c:\metadata.txt

open the metadata.txt file to check the all attributes of this object.

See the isdeleted attribute modification date, this date show when its deleted from active directory.

Its not showing who deleted this object as it only show the deletion date. For that you have to check the security logs.

This log show you the deletion date and time as well in which domain controller deletion happened.

Just login to DC01 domain controller and open the event viewer to get the person details who deleted this object.

Click on security logs and filter the current log.

you can also put the deletion event id instead of deletion date and time.

The event log showing you the account name who deleted this account from active directory.

So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Recommended content

• RODC Installation Guide- Step by step guide to install read only domain controller
• RODC Filtered Attribute Set
• Installing and configuring a RODC in Windows Server-2012
• How to find the GUID of Domain Controller
• Group Policy Understanding Group Policy Preferences
• Group Policy Verification Tool GPOTool Exe
• Group Policy Health Check on Specific Domain Controller
• What is Netlogon Folder in Active Directory
• How to Create Custom Attributes in Active Directory
• How Can I Check the Tombstone Lifetime of My Active Directory Forest
• How to Determine a Computers AD Site From the Command Line
• How to Check the Active Directory Database Integrity

Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.