Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to find who deleted a computer account in Active Directory

Start your free trial

When it comes to device logon activity, a computer account is just as important as a user account. If a user's Active Directory (AD) computer account is deleted, they will not be able to log in to their device to continue with their work. This can cost organizations a lot in terms of time spent recovering the computer account, and loss of productivity from the employee who cannot log in. Finding out who deleted the computer account can help administrators understand why the deletion occurred and how to avoid future occurrences. Read on to find out how.

Steps to find who deleted computer accounts using PowerShell:

Perform the following actions on the domain controller (DC):

  1. Click Start, search for Windows PowerShell, right-click it, and select Run as administrator.
  2. Type the following script into the console:

    Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4743} | Select-Object -Property *

find-who-deleted-computer-account-1
  1. Press Enter.
  2. This script will display deleted user accounts. In the output, under Message > Subject > Account Name, the name and security ID of the user that performed the deletion on the target computer account can be found.

Note: If you are using a workstation, the following script should be run on PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4743} | Select-Object -Property *

where <DC name> is the name of the domain controller where you want to check the details of the deletion that took place.

find-who-deleted-computer-account-2

Through native auditing, you can search for events to keep an eye on object deletions. However, this becomes impractical when you have to deal with thousands of computer accounts, and need to keep track of each event as it occurs.

The above process can be simplified by using ADAudit Plus, real-time Active Directory auditing software. ADAudit Plus provides detailed information on who deleted what, when, and from where for every AD change event occurring in your organization, including computer management.

Steps to find who deleted computer accounts using
ManageEngine ADAudit Plus

  1. Open the ADAudit Plus console and log in as an administrator.
  2. Navigate to Reports > Active Directory > Computer Management > Recently Deleted Computers.
1
 

Selectively monitor critical computer accounts by sorting these reports based on criteria such as computer name, caller user name, name of the computer, time of creation/deletion/modification, etc.

2
 

Gain valuable additional insights with the help of curated reports such as Users logged into multiple computers.

find-who-deleted-computer-account-3

Selectively monitor critical computer accounts by sorting these reports based on criteria such as computer name, caller user name, name of the computer, time of creation/deletion/modification, etc.
Gain valuable additional insights with the help of curated reports such as Users logged into multiple computers.

Advantages of using ADAudit Plus over native auditing:

  • ADAudit Plus audits and reports on all Active Directory changes consistently, ensuring a foolproof audit trail. There is no need to remember the event ID for each activity and search for it, which is the case with native auditing.
  • Set alerts for unusual activity using machine learning, and automate responses to these alerts in order to detect and respond to insider threats.
  • ADAudit Plus' out-of-the-box compliance reports help you satisfy regulations including SOX, HIPAA, GLBA, PCI-DSS, FISMA, and GDPR.
 

ADAudit Plus Trusted By