Object Access Event: 4660

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 4660

Event ID 4660 – An Object Was Deleted

Event ID 4660
Category Object Access: File System; Kernel Object; Registry
Type Success Audit
Description An object has been deleted.

Event ID 4660 is logged when an object is deleted. The audit policy of the object must have auditing enabled for deletions by that particular user or group. Event 4660 can be correlated to event 4656 as they share the same handle ID. The deletion of an object triggers both this event, as well as event 4663.

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Object Server
  • Handle ID
  • Process ID
  • Transaction ID

Why does event ID 4660 need to be monitored?

  • To track the deletion of files and other Windows objects, this should be monitored in tandem with 4663, as this event does not provide the Object Name
  • To prevent privilege abuse
  • To detect abnormal and potentially malicious activity
  • To ensure compliance with regulatory mandates

Pro Tip:

ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.

Event 4660 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Corresponding event in Windows 2003 and before: 564

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing