I often get asked how to audit the deletion of objects in Active Directory. It’s pretty easy to do this with the Windows Security Log – especially for tracking deletion of users and groups which I’ll show you first. All you have to do is enable “Audit user accounts” and “Audit security group management” in the Default Domain Controllers Policy GPO. You’ll find these 2 policies under Security SettingsAdvanced Audit Policy Configuration. Make sure you also enable the Security Option named “Audit: force audit policy subcategories to override…”; this option ensures that the latter settings actually take effect.
Within a few minutes all your domain controllers will begin auditing changes to domain users and groups – including deletions. The events to look for are
4730 – A security-enabled global group was deleted
4734 – A security-enabled local group was deleted
4758 – A security-enabled universal group was deleted
4726 – A user account was deleted
Here’s an example of event ID 4726:
A user account was deleted.
Subject:
Security ID: WIN-R9H529RIO4YAdministrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Target Account:
Security ID: WIN-R9H529RIO4Ybob
Account Name: bob
Account Domain: WIN-R9H529RIO4Y
Additional Information:
Privileges –
As you can see there’s a different event ID for each scope of group which I’ve indicated by underlining above. The fields under Subject, as always, tell you who deleted the group and under Deleted Group you’ll see the name and domain of the group that was removed. Then of course there’s 4726 for the deletion of user accounts. Interpreting this event is easy; the Subject fields identify who did the deleting and the Target fields indicate the user account that is now gone.
Monitoring deletions of organizational units (OUs) and group policy objects (GPOs) requires a few more steps. First you need to enable “Audit directory service changes” in the same GPO as above. But Active Directory doesn’t automatically start auditing deletions of OUs and GPOS yet. Next you need to open Active Directory Users and Computers. Select and right-click on the root of the domain and select Properties. Click the Security tab, then Advanced and then the Audit tab. Now you are looking at the object level audit policy for the root of the domain which automatically propagates down to child objects. Here you need to add 2 entries that audit the successful use of Delete permission for organizationalUnit and groupPolicyContainer objects as shown below.
Within a few minutes your domain controllers should start logging event ID 5141 whenever either type of object is deleted. To determine what kind of object was deleted look at the Class field which will be either organizationalUnit or groupPolicyContainer. The other fields under Object: and Directory Service provide the name a domain of the object deleted and of course the Subject tells us who deleted the object. Here’s an example of a deleted GPO. Notice that the GUID of the GPO is listed instead of is more friendly Display Name. That’s because the GPOs are identified in their official Distinguished Name by GUID.
A directory service object was deleted.
Subject:
Security ID: ACMEadministrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Directory Service:
Name: acme.com
Type: Active Directory Domain Services
Object:
DN: CN={8F8DF4A9-5B21-4A27-9BA6- 1AECC663E843},CN=Policies,CN=System,DC=acme,DC=com
GUID: CN={8F8DF4A9-5B21-4A27-9BA6-1AECC663E843}ADEL:291d5001- 782a-4b3c-a319-87c060621b0e,CN=Deleted Objects,DC=acme,DC=com
Class: groupPolicyContainer
Operation:
Tree Delete: No
Correlation ID: {140c9cef-8dc1-48f4-8b4a-de79230731a6}
Application Correlation ID: –
Going back to users and groups for a moment, remember that the method described above also results in all other changes to users and groups to be audited as well which I think is important to do. But if you really only want to track deletions you can actually use the same method just described for OUs and GPOs for users and groups too. All you need to do is add audit entries to the root of the domain for user and group objects. Then Active Directory will start recording 5141 for user and group deletions too.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.