Tracking who deleted an Active Directory account

Someone just deleted a very important AD account. Your job, should you choose to accept it, is to track down the vile perpetrator and enact swift justice!  😉

Account name: user5.test

Location: domain1.com

Tools for the job: ldp.exe; repadmin; event-log

Note. This is done with 2008R2 DC servers, Forest functional level 2003 / Domain Functional level 2003.  If you run server 2003 the event log numbers will be most likely different.

Step 1. ldp.exe

Acquire the deleted object’s DN.

The object’s old DN is not valid anymore, what we need is the new tombstone DN (a bit special since it includes the GUID to insure uniqueness)

Start Ldp.exe

Connect > domain1.com

Bind > appropriate credentials

Before we do anything else we must enable ldp.exe to show the deleted objects:

Options > Controls > Load Predefined > Return deleted objects > OK

Should look like this:

ldp_view_del_items

View > Tree > BaseDN “DC=domain1, DC=com”

Navigate to “CN=Deleted Objects,DC=domain1, DC=com” and expand

Note. Replace domain1.com with your own naming convention of course 😉

Locate user5 test and grab the tombstone DN ( object’s old GUID + old DN)

Note. I will provide in a later article the details on managing and recovering tombstone objects, and further details about ldp.exe (amazing AD admin tool)

Step 2. repadmin

Find out on what DC the object was deleted.

repadmin /showobjmeta DCname “DN”

Note. Mare sure the DC used has replicated, and use the deleted object’s tombstone DN we grabbed in Step 1.

Aha! What do we see here? The isDeleted attribute originated on the DC2-2008 domain controller:

Note: More details on this function can be found here: https://sysadminemporium.wordpress.com/2012/11/22/hello-world/

Step 3. event-log

Accessing the DC2-2008’s event-log

Windows Logs > Security

What do we have here? A 4726 Account management Log!

A closer look:

Success! User5.test was deleted by Domain1\andrei.ursuleac

Ugh…that is my account…time to run!

Advertisements

One thought on “Tracking who deleted an Active Directory account

  1. Pingback: Update – Tracking who deleted an Active Directory account | Sys Admin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s