As an Active Directory administrator you might find yourself in a scenario where an object/account/computer/etc gets deleted from the directory and then helpdesk/operations/management/VPs want to know the who, what , when, where, why, and how.
Now in a big enterprise like here in MSIT that could be quite difficult, since you don’t know what DC it was deleted on you can’t find the event for the deletion. Now yes, you could use eventcomb to look at all the DCs, but I thought I'd show you a way to do this using LDP and Repadmin since I find it quicker and more efficient use of your time.
First we need to open up LDP and connect to a server, if you leave the server field blank a DC will be picked for you automagically, which is fine.
Next you need to bind to the DC you are connected to, click Connection, then bind, again if you leave all the fields blank it will bind with the user you opened up LDP with. I use this a lot when I open LDP under an elevated cmd prompt.
Now click Browse and then search, we need to make sure we properly set the control to return deleted objects, once we do this we can search for the object deleted, below is a screenshot of what this looks like.
Now we need to search for the deleted object, if you go to View and then Tree and leave it blank it will go to the default naming context which by default is the domain naming context. Once this shows up in the left hand side, expand it then go to the deleted objects container, alt click and then choose search. Now you will search just that container. Now we can just search for an attribute of the object you’re looking for, in my case the samaccountname, but for you it might be different, and you can use wildcard characters when searching.
Once I find this object it will show up in the right hand side, I can copy the DN then populate that into repadmin to find out where it was deleted from.
C:\>repadmin /showobjmeta dc-01 "CN=Brad Rutkowski\0ADEL:5bb8da89-e51b-487a-9835-a21904c86a63,CN=Deleted Objects,DC=braddom,DC=bradforest,DC=microsoft,DC=com"
28 entries.Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute======= =============== ========= ============= === =========5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 objectClass5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 cn5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 sn5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 givenName5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 instanceType5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 whenCreated5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 displayName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 1 isDeleted5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 nTSecurityDescriptor5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 name5023741 Default-Site\DC-05 5023741 2006-09-20 13:53:56 3 userAccountControl5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 codePage5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 countryCode5023738 Default-Site\DC-05 5023738 2006-09-20 13:53:40 2 dBCSPwd5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 logonHours5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 3 unicodePwd5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 ntPwdHistory5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 4 pwdLastSet5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 primaryGroupID5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 supplementalCredentials5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 objectSid5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 accountExpires5023737 Default-Site\DC-05 5023737 2006-09-20 13:53:40 1 lmPwdHistory5023736 Default-Site\DC-05 5023736 2006-09-20 13:53:40 1 sAMAccountName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 sAMAccountType5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 userPrincipalName5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 1 lastKnownParent5023742 Default-Site\DC-05 5023742 2006-09-20 13:54:53 2 objectCategory0 entries.Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver======= ============ ============= ================= ======= ======= === Distinguished Name =============================
Looking at the isDeleted attribute we can see that the object was deleted from DC-05 at 1:54:53, that's great now we just need to hop on that domain controller and see who did it.
Event Type: Success AuditEvent Source: SecurityEvent Category: Account Management Event ID: 630Date: 9/20/2006Time: 1:54:53 PMUser: BRADDOM\HACKERXComputer: DC-05Description:User Account Deleted: Target Account Name: bradrutk Target Domain: BRADDOM Target Account ID: Brad RutkowskiDEL:5bb8da89-e51b-487a-9835-a21904c86a63 Caller User Name: HACKERX Caller Domain: BRADOM Caller Logon ID: (0x0,0x21B7F443)
Now you might say: Hey that's no easier! Wait until you get in the situation when an account is deleted and people want to know NOW, then you'll see how useful this is.
The Media Galleries are disabled - so zooming in on the pictures is not possible. I was able to figure out the first 3 pictures without seeing them. But need the syntax used in the last picture to search samaccountname. Could you help out with values you entered into the 2 fields and the radio button in the picture? Thanks.
Hmm I also got this:
Media Galleries Temporarily Disabled
The administrator has temporarily disabled the media galleries.
How can you call it "Temporarily Disabled" when it's been that way since August, that’s half a year.
Sorry guys trying to figure out the pics but the syntax is: samaccountname=<server>$
You need to Enable Windows Audit. Unless then you won't be getting the Events.
Check below article.
I Tested it in Windows 2008 DC