Backstory
As an Active Directory administrator you might find yourself in a scenario where an object/account/computer/etc gets deleted from the directory and then helpdesk/operations/management/VPs want to know the who, what , when, where, why, and how.
Now in a big enterprise like here in MSIT that could be quite difficult, since you don’t know what DC it was deleted on you can’t find the event for the deletion. Now yes, you could use eventcomb to look at all the DCs, but I thought I'd show you a way to do this using LDP and Repadmin since I find it quicker and more efficient use of your time.
LDP
First we need to open up LDP and connect to a server, if you leave the server field blank a DC will be picked for you automagically, which is fine.
Next you need to bind to the DC you are connected to, click Connection, then bind, again if you leave all the fields blank it will bind with the user you opened up LDP with. I use this a lot when I open LDP under an elevated cmd prompt.
Now click Browse and then search, we need to make sure we properly set the control to return deleted objects, once we do this we can search for the object deleted, below is a screenshot of what this looks like.
Now we need to search for the deleted object, if you go to View and then Tree and leave it blank it will go to the default naming context which by default is the domain naming context. Once this shows up in the left hand side, expand it then go to the deleted objects container, alt click and then choose search. Now you will search just that container. Now we can just search for an attribute of the object you’re looking for, in my case the samaccountname, but for you it might be different, and you can use wildcard characters when searching.
Once I find this object it will show up in the right hand side, I can copy the DN then populate that into repadmin to find out where it was deleted from.
Repadmin
C:\>repadmin /showobjmeta dc-01 "CN=Brad Rutkowski\0ADEL:5bb8da89-e51b-487a-9835-a21904c86a63,CN=Deleted Objects,DC=braddom,DC=bradforest,DC=microsoft,DC=com"
28 entries.Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute======= =============== ========= ============= === =========5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 objectClass5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 cn5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 sn5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 givenName5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 instanceType5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 whenCreated5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 displayName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 1 isDeleted5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 nTSecurityDescriptor5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 name5023741 Default-Site\DC-05 5023741 2006-09-20 13:53:56 3 userAccountControl5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 codePage5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 countryCode5023738 Default-Site\DC-05 5023738 2006-09-20 13:53:40 2 dBCSPwd5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 logonHours5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 3 unicodePwd5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 ntPwdHistory5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 4 pwdLastSet5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 primaryGroupID5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 supplementalCredentials5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 objectSid5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 accountExpires5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 lmPwdHistory5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 sAMAccountName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 sAMAccountType5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 userPrincipalName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 1 lastKnownParent5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 objectCategory0 entries.Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver======= ============ ============= ================= ======= ======= === Distinguished Name =============================
Looking at the isDeleted attribute we can see that the object was deleted from DC-05 at 1:54:53, that's great now we just need to hop on that domain controller and see who did it.
Event Type: Success AuditEvent Source: SecurityEvent Category: Account Management Event ID: 630Date: 9/20/2006Time: 1:54:53 PMUser: BRADDOM\HACKERXComputer: DC-05Description:User Account Deleted: Target Account Name: bradrutk Target Domain: BRADDOM Target Account ID: Brad RutkowskiDEL:5bb8da89-e51b-487a-9835-a21904c86a63 Caller User Name: HACKERX Caller Domain: BRADOM Caller Logon ID: (0x0,0x21B7F443)
Now you might say: Hey that's no easier! Wait until you get in the situation when an account is deleted and people want to know NOW, then you'll see how useful this is.
I've tried using C:\>repadmin /showobjmeta, it does not work...in fact when I check, there is no such /showobjmeta. Only /showmeta.
So far, I can't get the information on who did the deletion.
Oh...for your information, my DC is still on W2K OS.
Hi Brad,
Ok, found out that repadmin /showobjmeta parameter is for Windows 2003 server only.
Is there any other way to perform this checking on Windows 2000 OS?
Thanks.
Ryan
To do this in W2k you would use the showmeta command.
repadmin /showmeta <Object DN> [DC] [/nocache] [/linked]
I had to bust out the repadmin /oldhelp to see the syntax.
How do i do trhis to find a computer deleted?
Hi Minesh, it should be exactly the same ac we're quering for the samaccountname of the object with a wildcard.
SIMPLY AMAZING ARTICLE!!
YR A GENIUS!!!
Wow thx audypie, you have a low standard for the genius bar.
Hi,
this is very useful. I don't have a access to domain controler but i can access the domain from other system through (Active directory Users and computer console). How can i find out who has deleted the id?
Pretty good stuff, works like a charm.
Hey Brad,
We just had this issue at my office now. A user disappeared without any reason. And your guide worked great!!! We found out who deleted the user by mistake. She felt very guilty. I told her to not beat herself up about it, we all make mistakes :) NP.
Is there a time limit on this investigation? That is, how long until the CN=Deleted Objects container is purged of entries, causing these data to not be searchable like this?
Hey Billy, I think your time limit is more on how long is it going to take before the security logs on the domain controllers "wrap" and the data is gone. The time limit for the deleted objects is the tombstone lifetime (TSL) which is 180 days by default in 2k8 and beyong.
Thanks Brad, great post, was needed yesterday when we hit an issue, just a pity we didn't have event id 630 audited.
Is there a way to filter ldp the deleted results on a time period easily i.e. return results deleted from say
Monday 01 Jan 12:01 - Friday 5 Jan 20:00
The security log "wrap" just prevents me from knowing specifically who did this.
The 180 day limit would at least help me identify which DC was responsible for the initial delete action, which is often enough to give me an idea of who it could have been, in case the Security Log can't tell me exactly.
Thanks!!! Awesome piece!