Case of the Disappearing Objects: How to Audit Who Deleted What in Active Directory

August Newsletter

By Randy Franklin Smith

I often get asked how to audit the deletion of objects in Active Directory. It’s pretty easy to do this with the Windows Security Log – especially for tracking deletion of users and groups which I’ll show you first. All you have to do is enable “Audit user accounts” and “Audit security group management” in the Default Domain Controllers Policy GPO. You’ll find these 2 policies under Security Settings\Advanced Audit Policy Configuration. Make sure you also enable the Security Option named “Audit: force audit policy subcategories to override…”; this option ensures that the latter settings actually take effect.

Within a few minutes all your domain controllers will begin auditing changes to domain users and groups – including deletions. The events to look for are

4730 – A security-enabled global group was deleted
4734 – A security-enabled local group was deleted
4758 – A security-enabled universal group was deleted
4726 – A user account was deleted

Here’s an example of event ID 4726:

A user account was deleted.

Subject:

Security ID: WIN-R9H529RIO4Y\Administrator

Account Name: Administrator

Account Domain: WIN-R9H529RIO4Y

Logon ID: 0x1fd23

Target Account:

Security ID: WIN-R9H529RIO4Y\bob

Account Name: bob

Account Domain: WIN-R9H529RIO4Y

Additional Information:

Privileges –

As you can see there’s a different event ID for each scope of group which I’ve indicated by underlining above. The fields under Subject, as always, tell you who deleted the group and under Deleted Group you’ll see the name and domain of the group that was removed. Then of course there’s 4726 for the deletion of user accounts. Interpreting this event is easy; the Subject fields identify who did the deleting and the Target fields indicate the user account that is now gone.

Monitoring deletions of organizational units (OUs) and group policy objects (GPOs) requires a few more steps. First you need to enable “Audit directory service changes” in the same GPO as above. But Active Directory doesn’t automatically start auditing deletions of OUs and GPOS yet. Next you need to open Active Directory Users and Computers. Select and right-click on the root of the domain and select Properties. Click the Security tab, then Advanced and then the Audit tab. Now you are looking at the object level audit policy for the root of the domain which automatically propagates down to child objects. Here you need to add 2 entries that audit the successful use of Delete permission for organizationalUnit and groupPolicyContainer objects as shown below.

advanced-security-settings

Within a few minutes your domain controllers should start logging event ID 5141 whenever either type of object is deleted. To determine what kind of object was deleted look at the Class field which will be either organizationalUnit or groupPolicyContainer. The other fields under Object: and Directory Service provide the name a domain of the object deleted and of course the Subject tells us who deleted the object. Here’s an example of a deleted GPO. Notice that the GUID of the GPO is listed instead of is more friendly Display Name. That’s because the GPOs are identified in their official Distinguished Name by GUID.

A directory service object was deleted.

Subject:

Security ID: ACME\administrator

Account Name: administrator

Account Domain: ACME

Logon ID: 0x30999

Directory Service:

Name: acme.com

Type: Active Directory Domain Services

Object:

DN: CN={8F8DF4A9-5B21-4A27-9BA6- 1AECC663E843},CN=Policies,CN=System,DC=acme,DC=com

GUID: CN={8F8DF4A9-5B21-4A27-9BA6-1AECC663E843}\0ADEL:291d5001- 782a-4b3c-a319-87c060621b0e,CN=Deleted Objects,DC=acme,DC=com

Class: groupPolicyContainer

Operation:

Tree Delete: No

Correlation ID: {140c9cef-8dc1-48f4-8b4a-de79230731a6}

Application Correlation ID: –

Going back to users and groups for a moment, remember that the method described above also results in all other changes to users and groups to be audited as well which I think is important to do. But if you really only want to track deletions you can actually use the same method just described for OUs and GPOs for users and groups too. All you need to do is add audit entries to the root of the domain for user and group objects. Then Active Directory will start recording 5141 for user and group deletions too.