Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Features

Windows Event ID 4726 - A user account was deleted

Introduction

Event 4726 generates every time a user object is deleted.

Description of the event fields.

Figure 1. Event ID 4726 — General tab under Event Properties.

Event ID 4726 — General tab under Event Properties.

Figure 2. Event ID 4726 — Details tab under Event Properties.

Event ID 4726 — Details tab under Event Properties.

user-management-reports

Security ID: The SID of the account that requested to delete theTarget Account.

Account Name: The name of the account that requested to delete the Target Account.

Account Domain: The Subject's domain or computer name. Formats may vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
For well-known security principals, this field is "NT AUTHORITY," and for local user accounts this field will contain the computer name that this account belongs to.

Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4624).

Security ID: The SID of the account that was deleted.

Account Name: The name of the account that was deleted.

Account Domain: The Target Account's domain or computer name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
For well-known security principals, this field is "NT AUTHORITY," and for local user accounts, this field will contain the computer name that this account belongs to.

Privileges: The list of user privileges which were used during the operation.

Monitoring event ID 4726.

  • Accounts that have Target Account/Security ID corresponding to high-value accounts, including administrators, built-in local administrators, domain administrators, and service accounts.
  • Accounts that have to be monitored for every change. This list can vary between enterprises and industries.
  • Local accounts, because these accounts are often not deleted, and this could serve as an indicator of malicious activity.
  • Accounts that should never be deleted (for example, service accounts).

The need for an auditing solution.

Auditing solutions like ADAudit Plus offer real-time monitoring, user and entity behavior analytics, and reports; together these features help secure your AD environment.

Around the clock, real-time monitoring.

Although you can attach a task to the security log and ask Windows to send you an email, you're limited to simply getting an email whenever event 4726 is generated. Windows also lacks the ability to apply more granular filters that are required to meet security recommendations.

For example, Windows can send you an email every time event 4726 is generated, but it can't tell the difference between regular and high-value accounts. Recieving alerts specifically for high-value accounts reduces the chance of missing out on critical notifications hidden among the heap of false-positive alerts.

With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can receive real-time notifications via SMS, too.

User and entity behavior analytics (UEBA).

Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.

Compliance-ready reports.

Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR with out-of-the-box compliance reports.

True turnkey: it doesn't get simpler than this.

Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.

Try it now for free!

 

The 8 Most
Critical Windows
Security Event IDs

By clicking 'Download free guide', you agree to processing of personal data according to the Privacy Policy.

 
 
 
 

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting