To track user and computer accounts deletion in Active Directory, you can use the following steps:
- Enable Audit Account Management: First, you need to enable auditing of account management events in your Active Directory environment. This can be done by modifying the Group Policy Object (GPO) settings for your domain controllers. Specifically, you need to enable the “Audit Account Management” policy setting, which is located under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
- Collect Security Event Logs: After enabling the Audit Account Management policy setting, you need to collect the relevant security event logs from your domain controllers. These logs contain information about all account management events that occur on the domain controllers, including account deletions.
- Filter Logs: Once you have collected the security event logs, you need to filter them to identify events related to account deletions for the user or computer account in question. This can be done using tools like PowerShell or third-party log analysis software.
- Analyze logs: Finally, you need to analyze the filtered logs to identify the user account that initiated the deletion. This information can be found in the “Subject” field of the event log entry. You may need to correlate this with other log entries to identify the user account responsible for the deletion.
Overall, tracking user and computer account deletions in Active Directory involves a combination of enabling auditing, collecting logs, filtering logs, and analyzing the resulting data. By following these steps, you can identify potential security threats or policy violations, as well as track changes made by specific users or groups.