Tracing down user and computer account deletion in Active Directory
After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.
***1> *** Search DN of deleted object:
G:\Tools>adrestore.exe g_IF_EMEA_MMA_QlikView-IF*
Enumerating domain deleted objects:
cn: g_IF_EMEA_MMA_QlikView-IF
DEL:80b84c8e-87a6-49db-bd8f-99224b7293a2
distinguishedName: CN=g_IF_EMEA_MMA_QlikView-IF\0ADEL:80b84c8e-87a6-49db-bd8f-99224b7293a2,CN=Deleted Objects,DC=d30,DC=intra
lastKnownParent: OU=Groups,OU=MMA,OU=EMEA,OU=IF,DC=d30,DC=intra
***2> *** Get the output of the following command on any DC.
- Repadmin /Showobjmeta DCname “DN of the deleted object”
Eg:
G:\Repadmin /Showobjmeta adcnag "CN=g_IF_EMEA_MMA_QlikView-IF\0ADEL:80b84c8e-87a6-49db-bd8f-99224b7293a2,CN=Deleted Objects,DC=d30,DC=intra"
14 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 objectClass
62126176 AMD\ADCNAG 62126176 2013-02-01 11:57:54 2 cn
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 instanceType
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 whenCreated
62126177 AMD\ADCNAL 62399560 2013-02-01 11:57:42 1 isDeleted
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 nTSecurityDescriptor
62126176 AMD\ADCNAL 62399560 2013-02-01 11:57:42 2 name
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 objectSid
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 sAMAccountName
62126178 AMD\ADCNAL 62399560 2013-02-01 11:57:42 2 sAMAccountType
62125520 AMD\ADCNAL 62398665 2013-02-01 11:55:25 1 groupType
62126178 AMD\ADCNAL 62399560 2013-02-01 11:57:42 1 lastKnownParent
62126178 AMD\ADCNAL 62399560 2013-02-01 11:57:42 2 objectCategory
62126177 AMD\ADCNAL 62399560 2013-02-01 11:57:42 1 isRecycled
0 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver
======= ============ ============= ================= ======= ======= ===
Distinguished Name
***3> *** While reviewing the output **, check **the “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.
=========================================================
62126177 AMD\ADCNAL 62399560 2013-02-01 11:57:42 1 isDeleted
=========================================================
***4> *** With the above info, we need to just check the security event logs on the “Originating DSA” during **“Org. Time/Date”. **With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.
For computer account deletion:
· On Windows 2003, we should get Event ID: 647
· On Windows 2008, we should get Event ID: 4743
For User account deletion:
· On Windows 2003, we should get Event ID: 630
· On Windows 2008, we should get Event ID: 4726
You can run eventcombt to find event on multiple DC’s
=========================================================
Below is an example of an event confirming deletion and providing info about who deleted it.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2013-02-01 11:57:25
Event ID: 4726
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: ADCNAL.d30.intra
Description: A user account was deleted.
Subject:
Security ID: d30\Administrator
Account Name: Administrator
Account Domain: d30
Logon ID: *******
Target Account:
Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111
Account Name: g_IF_EMEA_MMA_QlikView-IF
Account Domain: d30
=========================================================
Please ignore if you already know/used this steps.