Windows 2012 Conputer account Deleted

jyoung127
jyoung127 used Ask the Experts™
on
Is there a way to find out what user account deleted a computer Account in AD?

Windows 2012 R2, Domain  function level is  at windows 2008.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Auditing is not turned on by default, so unless you had previously configured it, no. That information is not logged or tracked. And since you are asking, it is usually a safe conclusion that auditing was never configured.

Commented:
Have you enabled 2012 Ad Recycle Bin?  If not, do so for future issues.
Plenty of articles on how to do this, for example:
http://blogs.technet.com/b/canitpro/archive/2013/04/10/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012.aspx

Author

Commented:
Let me understand other than using windows Audit there is not other way of tracking who deletes a computer in AD?  EX PowerShell?

I had auditing for users turn on but did not for computers.

I plan on Moving the  function level  of the domain to windows 2008 R2 soon so I can turn on Recycle bIn for AD.
Distinguished Expert 2018
Commented:
The recycle bin will let you recover, but still would not tell you who deleted the account. And no, outside of auditing or a 3rd party utility (which would also have needed to be in place, not after the fact), that information is not tracked. So there would be no way to query that via powershell either.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial