Tracing down user and computer account deletion in Active Directory

 

In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand.

The Account Management auditing needs to be enabled as follows:

  • At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing:

Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies

- Enable Success for “Audit Account Management”

  • Ensure that the GPO application is working on all DCs.

After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.

Note: The below steps need to be done before you restore the deleted object:

 

1. Dump the deleted objects in “Deleted objects” container.

- Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf

 

2. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.

=========================================================

Extract from the LDF file above showing the deleted user object (TestUser):

dn: CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local

changetype: add

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

distinguishedName:

CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008d

om,DC=local

instanceType: 4

whenCreated: 20100526065020.0Z

whenChanged: 20100526065039.0Z

uSNCreated: 448479

isDeleted: TRUE – This attribute is set to true when an object is deleted.

uSNChanged: 448492

name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl

objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==

userAccountControl: 512

objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==

sAMAccountName: TestUser

lastKnownParent: CN=Users,DC=2008dom,DC=local

=========================================================

 

3. Get the output of the following command on any DC.

- Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt

Eg:

Repadmin /Showmeta “ CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local ” > Delshowmeta.txt

 

4. While reviewing the output in Delshowmeta.txt, checkthe “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.

=========================================================

Output of Showmeta:

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectClass

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 cn

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 givenName

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 instanceType

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 whenCreated

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 displayName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 isDeleted

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 nTSecurityDescriptor

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 name

448488 SiteA\2008-DC2 448488 2010-05-26 12:20:20 4 userAccountControl

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 codePage

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 countryCode

448481 SiteA\2008-DC2 448481 2010-05-26 12:20:20 2 dBCSPwd

448480 SiteA\2008-DC2 448480 2010-05-26 12:20:20 1 logonHours

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 unicodePwd

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 ntPwdHistory

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 4 pwdLastSet

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 primaryGroupID

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 supplementalCredentials

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectSid

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 accountExpires

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 lmPwdHistory

448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 sAMAccountName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 sAMAccountType

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 userPrincipalName

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 lastKnownParent

448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 objectCategory

=========================================================

5. With the above info, we need to just check the security event logs on the “Originating DSA” during “Org. Time/Date”. With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.

For computer account deletion:

· On Windows 2003, we should get Event ID: 647

· On Windows 2008, we should get Event ID: 4743

For User account deletion:

· On Windows 2003, we should get Event ID: 630

· On Windows 2008, we should get Event ID: 4726

=========================================================

Below is an example of an event confirming deletion and providing info about who deleted it.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 5/26/2010 12:20:39 PM

Event ID: 4726

Task Category: User Account Management

Level: Information

Keywords: Audit Success

User: N/A

Computer: 2008-dc2.2008dom.local

Description: A user account was deleted.

Subject:

Security ID: 2008DOM\Administrator

Account Name: Administrator

Account Domain: 2008DOM

Logon ID: 0x5fe2d

Target Account:

Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111

Account Name: TestUser

Account Domain: 2008DOM

=========================================================

Hope this helps…

- Abizer