Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who deleted a user account in Active Directory

Start your free trial

User accounts in Active Directory (AD) enable employees to log in and gain access to a system. Sometimes, a negligent admin or an attacker might delete a user account, resulting in the employee losing access to their system and files. In such situations, there are ways to find out who performed the deletion.

Using PowerShell:

Perform the following actions on the Domain Controller (DC):

  1. Press Start, search for Windows PowerShell, right-click on it, and select Run as administrator.
  2. Type the following script into the console:
    Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4726} | Select-Object -Property *
  3. Press Enter.
  4. This script will display deleted user accounts. In the output, under Message > Subject, the Account Name and security ID of the user that performed the deletion on the target user can be seen.
active directory who deleted a user

Note: If you are using a workstation, the following script should be run on PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4726} |
Select-Object -Property *

where is the name of the DC where you want to check if the deletion took place.

active directory who deleted a user

Using the Event Viewer

  1. Press Start, search for Event Viewer, right-click on it, and select Run as administrator.
  2. In the new Event Viewer window, navigate to Event Viewer > Windows Logs > Security using the left pane.
  3. On the right pane, click on Filter Current Log.
active directory who deleted a user
  1. In the new dialogue box, enter 4726 in the field labeled <All Event IDs>.
active directory who deleted a user
  1. Click on OK.
  2. Here, you can see a list of events corresponding to user account deletion. Double-click on an Event ID in the list to view its Properties.
  3. In the Event Properties window, in the General tab, under Subject > Account Name, you can see the user that performed this deletion.
active directory who deleted a user

Note: If you are using a workstation, in the Event Viewer, right-click on Event Viewer (Local) on the left pane, and click on Connect to Another Computer... and enter the name of the DC in the following format:

<domain name>\<domain controller name>
active directory who deleted a user

The above two methods are complex and the insight provided is limited since it is impossible to keep track of each event as it occurs.

Finding locked out users using ManageEngine ADAudit Plus

  1. Open the ADAudit Plus console and login as administrator.
  2. Navigate to Reports > Active Directory > User Management > Recently deleted users.

This will show you a detailed list of deleted user accounts, the user that performed the deletion, the time of deletion, and the DC that the deletion was performed in, along with a graphical representation.

active directory who deleted a user

ADAudit Plus enables you to monitor real-time ad object access and modifications.

ADAudit Plus Trusted By