How to Detect Who Deleted a Computer Account in Active Directory

Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
  1. Run gpmc.msc → edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings:
    • Local Policies → Audit Policy → Audit account management → Define → Success
    • Event Log → Define → Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed.
  2. Open ADSI Edit → Connect to Default naming context → right click "DC=domain name" → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click "Add" → Choose the following settings:
    • Principal: Everyone; Type: Success; Applies to: This object and all descendant objects; Permissions: Delete, Delete subtree, Write all properties → Click "OK".
  3. To define what computer account was deleted filter Security Event Log for Event ID 4743.

  1. Run Netwrix Auditor → go to Search → add What filter equal to “computer” and Action filter equal to “removed” → Search.

Identify who deleted computer accounts to avoid authentication errors

Improper deletion of a user account can cause system downtime.  Users whose computer accounts have been deleted won’t be able to log into IT systems using their domain authentication. If they are already logged in, they will have trouble accessing their email, shared folders, SharePoint and other services. In addition to this loss of productivity, IT staff have to spend time investigating why an authentication error has occurred. To avoid these issues, it’s vitally important to detect deleted computer accounts in a timely manner.

Netwrix Auditor for Active Directory enables complete visibility into activity in Active Directory and Group Policy by providing actionable audit data about all access events and changes, including when someone deletes computer accounts. Customizable email alerts enable IT administrators to quickly respond to unwanted deletions that meant the system could not authenticate a user. And audit reports contain actionable details, such as who deleted what computer account, when and where, so admins can investigate and prevent similar problems from happening in the future.

Got Feedback? Share!