Event IDs when a user account is deleted from Active Directory

Event IDs when a user account is deleted from Active Directory

Applies to: Windows Server 2008, 2008 R2 and 2012

Requirement:  You would like to investigate who has deleted a user account from Active Directory.

Prerequisite:
 Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)



When a user account is deleted from Active Directory, an event is logged with Event ID: 4726



Event Details for Event ID: 4726

A user account was deleted.

 

Subject:

                Security ID:                            TESTLAB\Santosh

                Account Name:                    Santosh

                Account Domain:                 TESTLAB

                Logon ID:                               0x8190601

 

Target Account:

                Security ID:                            TESTLAB\Random

                Account Name:                    Random

                Account Domain:                 TESTLAB

 

Additional Information:

                Privileges               -

In this example TESTLAB\Santosh has deleted user account TESTLAB\Random




See Also

Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Maheshkumar S Tiwari edited Original. Comment: Added See Also and Tag

Page 1 of 1 (1 items)