Hey who deleted that user from AD???

Hey who deleted that user from AD???

  • Comments 18
  • Likes

Backstory

As an Active Directory administrator you might find yourself in a scenario where an object/account/computer/etc gets deleted from the directory and then helpdesk/operations/management/VPs want to know the who, what , when, where, why, and how.

Now in a big enterprise like here in MSIT that could be quite difficult, since you don’t know what DC it was deleted on you can’t find the event for the deletion.  Now yes, you could use eventcomb to look at all the DCs, but I thought I'd show you a way to do this using LDP and Repadmin since I find it quicker and more efficient use of your time.

LDP

First we need to open up LDP and connect to a server, if you leave the server field blank a DC will be picked for you automagically, which is fine.

Next you need to bind to the DC you are connected to, click Connection, then bind, again if you leave all the fields blank it will bind with the user you opened up LDP with.  I use this a lot when I open LDP under an elevated cmd prompt.

Now click Browse and then search, we need to make sure we properly set the control to return deleted objects, once we do this we can search for the object deleted, below is a screenshot of what this looks like.

Now we need to search for the deleted object, if you go to View and then Tree and leave it blank it will go to the default naming context which by default is the domain naming context.  Once this shows up in the left hand side, expand it then go to the deleted objects container, alt click and then choose search.  Now you will search just that container.  Now we can just search for an attribute of the object you’re looking for, in my case the samaccountname, but for you it might be different, and you can use wildcard characters when searching.

Once I find this object it will show up in the right hand side, I can copy the DN then populate that into repadmin to find out where it was deleted from.

Repadmin

C:\>repadmin /showobjmeta dc-01 "CN=Brad Rutkowski\0ADEL:5bb8da89-e51b-487a-9835-a21904c86a63,CN=Deleted Objects,DC=braddom,DC=bradforest,DC=microsoft,DC=com"

28 entries.
Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute
=======                          =============== ========= =============        === =========
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 objectClass
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 cn
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 sn
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 givenName
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 instanceType
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 whenCreated
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 displayName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    1 isDeleted
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 nTSecurityDescriptor
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 name
5023741                       Default-Site\DC-05  5023741 2006-09-20 13:53:56    3 userAccountControl
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 codePage
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 countryCode
5023738                       Default-Site\DC-05  5023738 2006-09-20 13:53:40    2 dBCSPwd
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 logonHours
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    3 unicodePwd
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 ntPwdHistory
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    4 pwdLastSet
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 primaryGroupID
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 supplementalCredentials
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 objectSid
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 accountExpires
5023737                       Default-Site\DC-05  5023737 2006-09-20 13:53:40    1 lmPwdHistory
5023736                       Default-Site\DC-05  5023736 2006-09-20 13:53:40    1 sAMAccountName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 sAMAccountType
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 userPrincipalName
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    1 lastKnownParent
5023742                       Default-Site\DC-05  5023742 2006-09-20 13:54:53    2 objectCategory
0 entries.
Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver
======= ============  =============                           ================= ======= ======= ===
        Distinguished Name
        =============================

Looking at the isDeleted attribute we can see that the object was deleted from DC-05 at 1:54:53, that's great now we just need to hop on that domain controller and see who did it.

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 630
Date:  9/20/2006
Time:  1:54:53 PM
User:  BRADDOM\HACKERX
Computer: DC-05
Description:
User Account Deleted:
  Target Account Name: bradrutk
  Target Domain: BRADDOM
  Target Account ID: Brad Rutkowski
DEL:5bb8da89-e51b-487a-9835-a21904c86a63
  Caller User Name: HACKERX
  Caller Domain: BRADOM
  Caller Logon ID: (0x0,0x21B7F443)

Now you might say:  Hey that's no easier!  Wait until you get in the situation when an account is deleted and people want to know NOW, then you'll see how useful this is.

 

 

Technorati tags: ,
Comments
  • The Media Galleries are disabled - so zooming in on the pictures is not possible.  I was able to figure out the first 3 pictures without seeing them.  But need the syntax used in the last picture to search samaccountname.  Could you help out with values you entered into the 2 fields and the radio button in the picture?  Thanks.

  • Hmm I also got this:

    Media Galleries Temporarily Disabled

    The administrator has temporarily disabled the media galleries.

    How can you call it "Temporarily Disabled" when it's been that way since August, that’s half a year.

  • Sorry guys trying to figure out the pics but the syntax is:  samaccountname=<server>$

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment