How to Detect Who Deleted a User Account in Active Directory
Why It Is Important
When somebody deletes user accounts, these users will not be able to log into IT systems using domain authentication from any computer within the organization. If you delete a user account while the user is logged in, the user will lose access to email, SharePoint, SQL Server, shared folders and other systems. Therefore, it’s essential to monitor account deletions and quickly determine who deleted a user account, so you can quickly restore any improperly deleted account to minimize the risk of business disruption and system unavailability.
Native Auditing
**1. **Run GPMC.msc → Create a new policy→ Assign it to the needed OU → Edit it → Computer Configuration → Policies → Windows Settings → Security Settings:
- Local Policies → Audit Policy → Audit account management → Define → Success
- Event Log → Define → Maximum security log size to 4gb and Retention method for security log to Overwrite events as needed.
**2. **Open ADSI Edit → Connect to Default naming context → right click “DC=domain name” → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click “Add” → Choose the following settings:
- Principal: Everyone
- Type: Success
- Applies to: This object and all descendant objects
- Permissions: Delete all child objects → Click “OK”.
**3. **In order to define what user account was deleted and who deleted it filter Security Event Log for Event ID 4726.
https://img.netwrix.com/landings/howtofriday/sm01_.png
4. Real Life Use Case:
5. Credits: Originally posted - https://www.netwrix.com/how_to_detect_who_deleted_user_accounts.html