Tracing down user and computer account deletion in Active Directory
In order to find out about user and computer account deletion, you must keep the “Account Management” auditing enabled, beforehand.
The Account Management auditing needs to be enabled as follows:
- At Domain Controller OU level, edit the “Default Domain Controller” policy to enable auditing:
Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies
- Enable Success for “Audit Account Management”
- Ensure that the GPO application is working on all DCs.
After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or computer account deletion.
Note: The below steps need to be done before you restore the deleted object:
1. Dump the deleted objects in “Deleted objects” container.
- Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf
2. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.
=========================================================
Extract from the LDF file above showing the deleted user object (TestUser):
dn: CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl
distinguishedName:
CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008d
om,DC=local
instanceType: 4
whenCreated: 20100526065020.0Z
whenChanged: 20100526065039.0Z
uSNCreated: 448479
isDeleted: TRUE – This attribute is set to true when an object is deleted.
uSNChanged: 448492
name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl
objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==
userAccountControl: 512
objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==
sAMAccountName: TestUser
lastKnownParent: CN=Users,DC=2008dom,DC=local
=========================================================
3. Get the output of the following command on any DC.
- Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt
Eg:
Repadmin /Showmeta “ CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local ” > Delshowmeta.txt
4. While reviewing the output in Delshowmeta.txt, checkthe “Org. Time/Date” and the “Originating DC” value of isDeleted attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object, respectively.
=========================================================
Output of Showmeta:
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectClass
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 cn
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 givenName
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 instanceType
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 whenCreated
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 displayName
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 isDeleted
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 nTSecurityDescriptor
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 name
448488 SiteA\2008-DC2 448488 2010-05-26 12:20:20 4 userAccountControl
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 codePage
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 countryCode
448481 SiteA\2008-DC2 448481 2010-05-26 12:20:20 2 dBCSPwd
448480 SiteA\2008-DC2 448480 2010-05-26 12:20:20 1 logonHours
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 unicodePwd
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 ntPwdHistory
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 4 pwdLastSet
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 primaryGroupID
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 supplementalCredentials
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 objectSid
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 accountExpires
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 3 lmPwdHistory
448479 SiteA\2008-DC2 448479 2010-05-26 12:20:20 1 sAMAccountName
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 sAMAccountType
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 userPrincipalName
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 1 lastKnownParent
448492 SiteA\2008-DC2 448492 2010-05-26 12:20:39 2 objectCategory
=========================================================
5. With the above info, we need to just check the security event logs on the “Originating DSA” during “Org. Time/Date”. With “Account Management” auditing enabled on the DCs, we should see the following events in the security log.
For computer account deletion:
· On Windows 2003, we should get Event ID: 647
· On Windows 2008, we should get Event ID: 4743
For User account deletion:
· On Windows 2003, we should get Event ID: 630
· On Windows 2008, we should get Event ID: 4726
=========================================================
Below is an example of an event confirming deletion and providing info about who deleted it.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/26/2010 12:20:39 PM
Event ID: 4726
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008-dc2.2008dom.local
Description: A user account was deleted.
Subject:
Security ID: 2008DOM\Administrator
Account Name: Administrator
Account Domain: 2008DOM
Logon ID: 0x5fe2d
Target Account:
Security ID: S-1-5-21-3841965381-1462996679-2541222053-2111
Account Name: TestUser
Account Domain: 2008DOM
=========================================================
Hope this helps…
- Abizer