Вы находитесь на странице: 1из 4

12/1/2015

TracingdownuserandcomputeraccountdeletioninActiveDirectoryChickenSoupfortheTechieSiteHomeTechNetBlogs

Tracing down user and computer account deletion in Active Directory


abizer_hazrat 27 May 2010 1:40 AM

31

In order to find out about user and computer account deletion, you must keep the Account Management auditing enabled,
beforehand.
The Account Management auditing needs to be enabled as follows:
At Domain Controller OU level, edit the Default Domain Controller policy to enable auditing:
Computer configuration > Windows settings > Security settings > Local Policies > Audit Policies
Enable Success for Audit Account Management
Ensure that the GPO application is working on all DCs.
After the User/Computer account deletion occurs, the steps you need to follow to get more information about user or
computer account deletion.
Note: The below steps need to be done before you restore the deleted object:

1. Dump the deleted objects in Deleted objects container.


Ldifde x d CN=Deleted Objects,DC=domain,DC=com f Deletedobj.ldf

2. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy
the DN attribute value of this object.

=========================================================

Extract from the LDF file above showing the deleted user object TestUser:
dn: CN=TestUser\0ADEL:aff006d777584b24bb536e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl
distinguishedName:
CN=TestUser\0ADEL:aff006d777584b24bb536e8f1a87834e,CN=Deleted Objects,DC=2008d
om,DC=local
instanceType: 4
whenCreated: 20100526065020.0Z
whenChanged: 20100526065039.0Z
uSNCreated: 448479
isDeleted: TRUE This attribute is set to true when an object is deleted.
uSNChanged: 448492
name:: dGVydApERUw6YWZmMDA2ZDctNzc1OC00YjI0LWJiNTMtNmU4ZjFhODc4MzRl
objectGUID:: 1wbwr1h3JEu7U26PGoeDTg==
userAccountControl: 512
objectSid:: AQUAAAAAAAUVAAAARb3/5MeOM1el+HeXPwgAAA==
sAMAccountName: TestUser
lastKnownParent: CN=Users,DC=2008dom,DC=local

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracingdownuserandcomputeraccountdeletioninactivedirectory.aspx

1/4

12/1/2015

TracingdownuserandcomputeraccountdeletioninActiveDirectoryChickenSoupfortheTechieSiteHomeTechNetBlogs

=========================================================

3. Get the output of the following command on any DC.


Repadmin /Showmeta DN of the deleted object > Delshowmeta.txt
Eg:
Repadmin /Showmeta CN=TestUser\0ADEL:aff006d777584b24bb536e8f1a87834e,CN=Deleted
Objects,DC=2008dom,DC=local > Delshowmeta.txt

4. While reviewing the output in Delshowmeta.txt, check the Org. Time/Date and the Originating DC value of isDeleted
attribute of this object. These values will tell you the time of deletion of this object and the source DC used to delete object,
respectively.
=========================================================
Output of Showmeta:
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 objectClass
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 cn
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 givenName
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 instanceType
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 whenCreated
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 displayName
448492 SiteA\2008DC2 448492 20100526 12:20:39 1 isDeleted
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 nTSecurityDescriptor
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 name
448488 SiteA\2008DC2 448488 20100526 12:20:20 4 userAccountControl
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 codePage
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 countryCode
448481 SiteA\2008DC2 448481 20100526 12:20:20 2 dBCSPwd
448480 SiteA\2008DC2 448480 20100526 12:20:20 1 logonHours
448492 SiteA\2008DC2 448492 20100526 12:20:39 3 unicodePwd
448492 SiteA\2008DC2 448492 20100526 12:20:39 3 ntPwdHistory
448492 SiteA\2008DC2 448492 20100526 12:20:39 4 pwdLastSet
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 primaryGroupID
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 supplementalCredentials
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 objectSid
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 accountExpires
448492 SiteA\2008DC2 448492 20100526 12:20:39 3 lmPwdHistory
448479 SiteA\2008DC2 448479 20100526 12:20:20 1 sAMAccountName
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 sAMAccountType
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 userPrincipalName
448492 SiteA\2008DC2 448492 20100526 12:20:39 1 lastKnownParent
448492 SiteA\2008DC2 448492 20100526 12:20:39 2 objectCategory
=========================================================

5. With the above info, we need to just check the security event logs on the Originating DSA during Org. Time/Date. With
Account Management auditing enabled on the DCs, we should see the following events in the security log.
For computer account deletion:
On Windows 2003, we should get Event ID: 647

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracingdownuserandcomputeraccountdeletioninactivedirectory.aspx

2/4

12/1/2015

TracingdownuserandcomputeraccountdeletioninActiveDirectoryChickenSoupfortheTechieSiteHomeTechNetBlogs

On Windows 2008, we should get Event ID: 4743


For User account deletion:
On Windows 2003, we should get Event ID: 630
On Windows 2008, we should get Event ID: 4726
=========================================================
Below is an example of an event confirming deletion and providing info about who deleted it.
Log Name: Security
Source: MicrosoftWindowsSecurityAuditing
Date: 5/26/2010 12:20:39 PM
Event ID: 4726
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008dc2.2008dom.local
Description: A user account was deleted.
Subject:
Security ID: 2008DOM\Administrator
Account Name: Administrator
Account Domain: 2008DOM
Logon ID: 0x5fe2d
Target Account:
Security ID: S15213841965381146299667925412220532111
Account Name: TestUser
Account Domain: 2008DOM
=========================================================

Hope this helps


Abizer

Comments
Varun 8 May 2013 3:21 AM

Great Post
C.Ravi Shankar 1 Jul 2013 12:19 PM

Very useful information i appreciate your effort Abizer.


princess 23 Oct 2013 12:05 PM

www.google.co.uk/imgres
Bijith 5 Mar 2014 2:35 PM

Can we get one particular computer/user object details. Since it will generate all the deleted object details and will
tale time. Also, chance is there that the file will not open due to large size.
Heidi 5 May 2014 2:53 PM

Does this work for removal from a group as well? I have a user that keeps getting removed from a group but "no
one" did it.
Jeffrey S. Patton 9 Jun 2014 4:27 PM

@Heidi, It *should* you may want to make sure you have user management enabled as well as group management
enabled

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracingdownuserandcomputeraccountdeletioninactivedirectory.aspx

3/4

12/1/2015

TracingdownuserandcomputeraccountdeletioninActiveDirectoryChickenSoupfortheTechieSiteHomeTechNetBlogs
Jeffrey S. Patton 9 Jun 2014 4:28 PM

@Heidi, It *should* you may want to make sure you have user management enabled as well as group management
enabled
AllenRich 24 Nov 2014 10:50 AM

Really an impressive blog post.


Till now, I am using an automated solution named Lepide auditor suite http://www.lepide.com/lepideauditor/active
directory.html to audit such changes activities into active directory. But it would be a big help in coming future.
Nithin 18 Feb 2015 4:19 PM

Thanks a lot
Arun Shourie 22 May 2015 11:02 PM

Great Post
Came very handy to troubleshoot quickly
vaadadmin2010 15 Jul 2015 7:49 PM

Thanks for the great post. If you have AD Recycle Bin enabled, you can grab the 'Name' from there as well, just
convert to a DN. If you want to skip the ldifde part.

http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracingdownuserandcomputeraccountdeletioninactivedirectory.aspx

4/4

Вам также может понравиться