Direct Inward Dialing: +1 408 916 9892
Deleting AD objects generally comes under administrator privileges and therefore in case of a suspicious deletion, it becomes crucial to find the user who initiated the event. Such an unauthorized user can be a terrible risk to the security of the network and the sooner an IT admin can detect them, the lesser will be the damage.
On native AD, even Windows PowerShell cannot on its own produce this report. One will have to use multiple applications before this information can be gained. ADAudit Plus, on the other hand, will fetch you the report in a few quick minutes. This is because ADAudit Plus has several pre-packaged reports that helps you conduct a general audit of the whole network. Apart from Here is a comparison on how to find the user who deleted a computer object using Windows PowerShell and ADAudit Plus.
Get-Adobject -includedeletedobjects -filter{objectclass -eq "computer" -and isdeleted -eq$true}
From the output, copy the DN of the particular deleted object.
Then, open Command Prompt and type the following by inserting the name of your DC and DN of the deleted object n the appropriate spaces - repadmin /showobjmeta nameofDC "DN of computer object"
This will give you the date and time of deletion. You can now use the date to filter the events in Active Directory Event Viewer to discover the user who deleted the AD object.
There are several limitations when using WIndows PowerShell to find the details of a deleted object such as the below:
On the other hand, ADAudit Plus' pre-packaged reports provide the necessary information in just a few clicks. This is because ADAudit Plus has several pre-packaged reports that helps you conduct a general audit of the whole network. Apart from that, there are also custom reports that can be designed to suit your particular security needs.