Someone just deleted a very important AD account. Your job, should you choose to accept it, is to track down the vile perpetrator and enact swift justice! 😉
Account name: user5.test
Tools for the job: ldp.exe; repadmin; event-log
Note. This is done with 2008R2 DC servers, Forest functional level 2003 / Domain Functional level 2003. If you run server 2003 the event log numbers will be most likely different.
Step 1. ldp.exe
Acquire the deleted object’s DN.
The object’s old DN is not valid anymore, what we need is the new tombstone DN (a bit special since it includes the GUID to insure uniqueness)
Connect > domain1.com
Bind > appropriate credentials
Before we do anything else we must enable ldp.exe to show the deleted objects:
Options > Controls > Load Predefined > Return deleted objects > OK
Should look like this:
View > Tree > BaseDN “DC=domain1, DC=com”
Navigate to “CN=Deleted Objects,DC=domain1, DC=com” and expand
Note. Replace domain1.com with your own naming convention of course 😉
Locate user5 test and grab the tombstone DN ( object’s old GUID + old DN)
Note. I will provide in a later article the details on managing and recovering tombstone objects, and further details about ldp.exe (amazing AD admin tool)
Step 2. repadmin
Find out on what DC the object was deleted.
repadmin /showobjmeta DCname “DN”
Note. Mare sure the DC used has replicated, and use the deleted object’s tombstone DN we grabbed in Step 1.
Aha! What do we see here? The isDeleted attribute originated on the DC2-2008 domain controller:
Note: More details on this function can be found here: https://sysadminemporium.wordpress.com/2012/11/22/hello-world/
Step 3. event-log
Accessing the DC2-2008’s event-log
Windows Logs > Security
What do we have here? A 4726 Account management Log!
A closer look:
Success! User5.test was deleted by Domain1\andrei.ursuleac
Ugh…that is my account…time to run!