User id getting deleted from AD frequently.

Posted on 2013-09-24
Medium Priority
Last Modified: 2014-03-29
Hello, we are facing issue with Active Directory that multiple accounts are getting deleted from AD and we need to find out how and why these accounts are getting deleted.

We also have only 300 MB limit for Event logs and this issue occurred at 09/20.

Please help us to find out root cause of this deletion as we don't have logs so unable to trace issue via event logs.
We have 2003 AD servers present where this issue occurred.

Also we suspect that this is done via some script as more then 5 AD accounts deleted at same point of time (09/20 @ 08:44:46 AM) which manually is not possible.
Question by:biplabmukh
LVL 57

Expert Comment

by:Mike Kline
ID: 39517473
Without logs you will not be able to get the full picture.  Did this happen once or has it happened multiple times?  If it has happened multiple times I suggest log tuning or increasing your log size so that you have the logs.

Do you have auditing enabled for AD objects?


LVL 10

Expert Comment

ID: 39517501
User and computer account deletion, you must keep the “Account Management” auditing enabled.

Check this Blog how to do that.


Author Comment

ID: 39517517
Thanks for reply however we do have auditing enabled on AD servers however log size is 300 MB set. Is there any tool or any other script can help to determine how accounts got deleted which do not require Event logs.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

LVL 10

Accepted Solution

jmanishbabu earned 1500 total points
ID: 39517567
1. Dump the deleted objects in “Deleted objects” container.

    - Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf

2. Search the Deletedobj.ldf file for the AD object that got deleted. The name of this object would have a GUID appended to it. Copy the DN attribute value of this object.

Use this command .

Repadmin /Showmeta “DN of the deleted object” > Delshowmeta.txt


Repadmin /Showmeta “CN=TestUser\0ADEL:aff006d7-7758-4b24-bb53-6e8f1a87834e,CN=Deleted Objects,DC=2008dom,DC=local” > Delshowmeta.txt

Check the below link it will explain how to use this and check


Expert Comment

ID: 39517806
I think top of what jmanishbabu suggested,you can check any group policy is actually using for the deletion of objects from the live users folder than inactive users folder,any scheduled task running on any of your application servers or any SQL jobs set up for some maintenance jobs etc.

LVL 24

Expert Comment

ID: 39520183
In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.

Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
Quest: http://www.quest.com/changeauditor-for-active-directory/

If auditing is not enabled, still you can find out changes were made on which DC and when using repadmin /showobjmeta

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
If you need to implement application level security in an Access database application or other VBA code, I strongly encourage you to take advantage of Active Directory groups.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question