Hey who deleted that user from AD???

Hey who deleted that user from AD???

  • Comments 18
  • Likes

Backstory

As an Active Directory administrator you might find yourself in a scenario where an object/account/computer/etc gets deleted from the directory and then helpdesk/operations/management/VPs want to know the who, what , when, where, why, and how.

Now in a big enterprise like here in MSIT that could be quite difficult, since you don’t know what DC it was deleted on you can’t find the event for the deletion.  Now yes, you could use eventcomb to look at all the DCs, but I thought I'd show you a way to do this using LDP and Repadmin since I find it quicker and more efficient use of your time.

LDP

First we need to open up LDP and connect to a server, if you leave the server field blank a DC will be picked for you automagically, which is fine.

Next you need to bind to the DC you are connected to, click Connection, then bind, again if you leave all the fields blank it will bind with the user you opened up LDP with.  I use this a lot when I open LDP under an elevated cmd prompt.

Now click Browse and then search, we need to make sure we properly set the control to return deleted objects, once we do this we can search for the object deleted, below is a screenshot of what this looks like.

Now we need to search for the deleted object, if you go to View and then Tree and leave it blank it will go to the default naming context which by default is the domain naming context.  Once this shows up in the left hand side, expand it then go to the deleted objects container, alt click and then choose search.  Now you will search just that container.  Now we can just search for an attribute of the object you’re looking for, in my case the samaccountname, but for you it might be different, and you can use wildcard characters when searching.

Once I find this object it will show up in the right hand side, I can copy the DN then populate that into repadmin to find out where it was deleted from.

Repadmin

C:\>repadmin /showobjmeta dc-01 "CN=Brad Rutkowski\0ADEL:5bb8da89-e51b-487a-9835-a21904c86a63,CN=Deleted Objects,DC=braddom,DC=bradforest,DC=microsoft,DC=com"

28 entries.
Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute
=======                          =============== ========= =============        === =========
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 objectClass
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 cn
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 sn
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 givenName
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 instanceType
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 whenCreated
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 displayName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    1 isDeleted
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 nTSecurityDescriptor
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 name
5023741                       Default-Site\DC-05  5023741 2006-09-20 13:53:56    3 userAccountControl
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 codePage
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 countryCode
5023738                       Default-Site\DC-05  5023738 2006-09-20 13:53:40    2 dBCSPwd
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 logonHours
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    3 unicodePwd
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 ntPwdHistory
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    4 pwdLastSet
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 primaryGroupID
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 supplementalCredentials
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 objectSid
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 accountExpires
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 lmPwdHistory
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 sAMAccountName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 sAMAccountType
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 userPrincipalName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    1 lastKnownParent
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 objectCategory
0 entries.
Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver
======= ============  =============                           ================= ======= ======= ===
        Distinguished Name
        =============================

Looking at the isDeleted attribute we can see that the object was deleted from DC-05 at 1:54:53, that's great now we just need to hop on that domain controller and see who did it.

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 630
Date:  9/20/2006
Time:  1:54:53 PM
User:  BRADDOM\HACKERX
Computer: DC-05
Description:
User Account Deleted:
  Target Account Name: bradrutk
  Target Domain: BRADDOM
  Target Account ID: Brad Rutkowski
DEL:5bb8da89-e51b-487a-9835-a21904c86a63
  Caller User Name: HACKERX
  Caller Domain: BRADOM
  Caller Logon ID: (0x0,0x21B7F443)

Now you might say:  Hey that's no easier!  Wait until you get in the situation when an account is deleted and people want to know NOW, then you'll see how useful this is.

 

 

Technorati tags: ,
Comments
  • I've tried using C:\>repadmin /showobjmeta, it does not work...in fact when I check, there is no such /showobjmeta. Only /showmeta.

    So far, I can't get the information on who did the deletion.

  • Oh...for your information, my DC is still on W2K OS.

  • Hi Brad,

    Ok, found out that repadmin /showobjmeta parameter is for Windows 2003 server only.

    Is there any other way to perform this checking on Windows 2000 OS?

    Thanks.

    Ryan

  • To do this in W2k you would use the showmeta command.

    repadmin /showmeta <Object DN> [DC] [/nocache] [/linked]

    I had to bust out the repadmin /oldhelp to see the syntax.

  • How do i do trhis to find a computer deleted?

  • Hi Minesh, it should be exactly the same ac we're quering for the samaccountname of the object with a wildcard.  

  • SIMPLY AMAZING ARTICLE!!

    YR A GENIUS!!!

  • Wow thx audypie, you have a low standard for the genius bar.

  • Hi,

    this is very useful. I don't have a access to domain controler but i can access the domain from other system through (Active directory Users and computer console). How can i find out who has deleted the id?

  • Pretty good stuff, works like a charm.

  • Hey Brad,

    We just had this issue at my office now. A user disappeared without any reason. And your guide worked great!!! We found out who deleted the user by mistake. She felt very guilty. I told her to not beat herself up about it, we all make mistakes :) NP.

  • Is there a time limit on this investigation? That is, how long until the CN=Deleted Objects container is purged of entries, causing these data to not be searchable like this?

  • Hey Billy, I think your time limit is more on how long is it going to take before the security logs on the domain controllers "wrap" and the data is gone.  The time limit for the deleted objects is the tombstone lifetime (TSL) which is 180 days by default in 2k8 and beyong.

  • Thanks Brad, great post, was needed yesterday when we hit an issue, just a pity we didn't have event id 630 audited.

    Is there a way to filter ldp the deleted results on a time period easily i.e. return results deleted from say

    Monday 01 Jan 12:01 - Friday 5 Jan 20:00

  • The security log "wrap" just prevents me from knowing specifically who did this.

    The 180 day limit would at least help me identify which DC was responsible for the initial delete action, which is often enough to give me an idea of who it could have been, in case the Security Log can't tell me exactly.

    Thanks!!! Awesome piece!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment