How to Detect Who Deleted a Computer Account in Active Directory

Why It Is Important

Improper deletion of a user account can cause serious problems for an organization. Users whose computer accounts have been deleted won’t be able to log into IT systems using their domain authentication. If they are already logged in, they will have trouble accessing their email, shared folders, SharePoint and other resources. In addition to this loss of productivity, IT staff have to spend time investigating why an authentication error has occurred. To avoid these issues, it’s vitally important to detect the deletion of computer accounts in a timely manner.

Native Auditing

1. Run GPMC.msc → Create a new policy and assign it to the needed OU → Edit it → Computer Configuration → Policies → Windows Settings → Security Settings:
Local Policies → Audit Policy: 

• Audit account management → Define → Success
• Event Log → Define → Maximum security log size to 4gb and Retention method for security log to Overwrite events as needed.

2. Open ADSI Edit → Connect to Default naming context → right click “DC=domain name” → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click “Add” → Choose the following settings:

• Principal: Everyone; 
• Type: Success; 
• Applies to: This object and all descendant objects; 
• Permissions: Delete, Delete subtree, Write all properties 

3. To define what computer account was deleted filter Security Event Log for Event ID 4743.

4. Real Life Use Case: View

5. Credits: Originally posted at - https://www.netwrix.com/how_to_detect_who_deleted_a_computer_account.html