Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who deleted a user account in Active Directory

Start your free trial

User accounts in Active Directory (AD) enable employees to log in and gain access to a system. Sometimes, a negligent admin or an attacker might delete a user account, resulting in the employee losing access to their system and files. In such situations, there are ways to find out who performed the deletion.

Using PowerShell:

Perform the following actions on the Domain Controller (DC):

  1. Press Start, search for Windows PowerShell, right-click on it, and select Run as administrator.
  2. Type the following script into the console:
    Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4726} | Select-Object -Property *
  3. Press Enter.
  4. This script will display deleted user accounts. In the output, under Message > Subject, the Account Name and security ID of the user that performed the deletion on the target user can be seen.
active directory who deleted a user

Note: If you are using a workstation, the following script should be run on PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4726} |
Select-Object -Property *

where is the name of the DC where you want to check if the deletion took place.

active directory who deleted a user

Using the Event Viewer

  1. Press Start, search for Event Viewer, right-click on it, and select Run as administrator.
  2. In the new Event Viewer window, navigate to Event Viewer > Windows Logs > Security using the left pane.
  3. On the right pane, click on Filter Current Log.
active directory who deleted a user
  1. In the new dialogue box, enter 4726 in the field labeled <All Event IDs>.
active directory who deleted a user
  1. Click on OK.
  2. Here, you can see a list of events corresponding to user account deletion. Double-click on an Event ID in the list to view its Properties.
  3. In the Event Properties window, in the General tab, under Subject > Account Name, you can see the user that performed this deletion.
active directory who deleted a user

Note: If you are using a workstation, in the Event Viewer, right-click on Event Viewer (Local) on the left pane, and click on Connect to Another Computer... and enter the name of the DC in the following format:

<domain name>\<domain controller name>
active directory who deleted a user

The above two methods are complex and the insight provided is limited since it is impossible to keep track of each event as it occurs.

Find out who deleted a user account using ManageEngine ADAudit Plus

  1. Open the ADAudit Plus console and login as administrator.
  2. Navigate to Reports > Active Directory > User Management > Recently deleted users.

This will show you a detailed list of deleted user accounts, the user that performed the deletion, the time of deletion, and the DC that the deletion was performed in, along with a graphical representation.

active directory who deleted a user

ADAudit Plus enables you to monitor real-time AD object access and modifications.

 

ADAudit Plus Trusted By