Active Directory: Event IDs when a user account is deleted
Applies to:
Windows Server 2008, 2008 R2 and 2012
Requirement:
You would like to investigate who has deleted a user account from Active Directory.
Prerequisite:
Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)
When a user account is deleted from Active Directory, an event is logged with Event ID: 4726
Event Details for Event ID: 4726
x
A user account was deleted.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
Target Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Additional Information:
Privileges -
Applies to: Windows Server 2008, 2008 R2 and 2012
Requirement: You would like to investigate who has deleted a user account from Active Directory.
Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)
When a user account is deleted from Active Directory, an event is logged with Event ID: 4726
Event Details for Event ID: 4726
A user account was deleted.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
Target Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Additional Information:
Privileges -
In this example TESTLAB\Santosh has deleted user account TESTLAB\Random