Deleted AD Objects

By SuperG - Last updated: Tuesday, April 3, 2012 - Save & Share - Leave a Comment

When an object is deleted in AD (2008R2 with recycle Bin installed), that object is marked as being deleted and moved to a special OU.

You can find this object using Active Directory for Windows PowerShell.

Get-ADObject -Filter ‘samaccountname -eq “<Account name>“‘ -IncludeDeletedObjects


Get-ADObject -Filter ‘samaccountname -eq “ThompsonDA”‘ -IncludeDeletedObjects

Deleted : True

DistinguishedName : CN=Thompson Donald (Test)\0ADEL:64588b0d-a45c-4845-ae92-deb3e5930206,

CN=Deleted Objects,DC=<Domain>,DC=com

Name : Thompson Donald (Test) DEL:64588b0d-a45c-4845-ae92-deb3e5930206

ObjectClass : user

ObjectGUID : 64588b0d-a45c-4845-ae92-deb3e5930206

This shows that the object was deleted, but not a lot more. So to get more information on the object we can look at the replication information.

Then by looking at the isDeleted attribute, we can use the date time stamp to see when the object was deleted and the Originating DSA to see what DC the object was deleted on.

repadmin /showmeta “<GUID=GUID OF OBJECT>” <Domain Controller>


repadmin /showmeta “<GUID=64588b0d-a45c-4845-ae92-deb3e5930206>” DC1

35 entries.

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

12944950 Default-First-Site-Name\DC1 12944950 2011-05-13 09:01:58
1 isDeleted

By looking at Ver you can tell how many times this attribute has been changed In this case, Once, when the object was deleted.

If you undelete this it will change to 2.

So now that you have a Date and time you can now lookup who made the change. Look at the events on the DC that recorded the change. In this case DC1

By looking in the event logs on the Originating DSA we can see the events about this object.

This is assuming that you have auditing enabled.

To Audit changes to AD need to set “directory service changes” to enabled (you should do this on all the DCs).


auditpol /set /subcategory:”directory service changes” /success:enable

Look in the security events for the Event ID you are looking for and during the time when the event happened.

In this case we are looking for event ID 4726 (User Delete) and during 2011-05-13 09:01:58

So filter the security events for these parameters

Look at the Log and you can see what account deleted the Object


Posted in Active Directory • Tags: Top Of Page

Write a comment

You need to login to post comments!