AD Account Deletion

Posted on 2009-12-16
Last Modified: 2012-05-08
Hey all  --  Is there a way to figure out who deleted an AD Account?  An account magically went missing this morning.  Thanks
Question by:nyceuser
    LVL 11

    Accepted Solution

    You can look at the event viewer security logs on the domain controller. Here is an example log for account deletion. Look for event id 630. Target account is the deleted account (TestAcc), caller user name is the account who deleted the account (administrator) :

    Event Type:      Success Audit
    Event Source:      Security
    Event Category:      Account Management
    Event ID:      630
    Date:            12/16/2009
    Time:            4:47:13 PM
    User:            DM1\administrator
    Computer:      DM1DC
    User Account Deleted:
           Target Account Name:      TestAcc
           Target Domain:      DM1
           Target Account ID:      TestAcc
           Caller User Name:      administrator
           Caller Domain:      DM1
           Caller Logon ID:      
           Privileges:      -
    LVL 57

    Expert Comment

    by:Mike Kline
    Duplicate "request attention" and ask the mods to delete this one so you don't get charged twice for your points

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    I came across this issue when setting up a two way forest level trust. so here's the scenario: A company wildcards acquired another company, bizworks ( both Fictitious). Wild cards: windows 2003 Domain & forest functional levels - Ad domain na…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now