Is there a way to show when a user was deactivated or deleted in AD?
Is there a way to show when a user was deactivated or deleted in AD?
You can follow along here to set up the auditing.
https://www.lepide.com/how-to/audit-user-account-changes-in-active-directory.html
--please don't forget to Accept as answer if the reply is helpful--
Thank you. It looks like the user was deleted quite awhile ago and not found in the event viewer security tab using code 4726 for deleted user. Is there parhaps a powershell command or something that i might be ablke to use?
Hi,
Once the policy: Audit account management was applied , the account change events will be logged.
But it will not log the changes happened before the audit policy.
You can get the disabled or deleted accounts through commands, but can't get more details for them.
For your reference:
https://blog.netwrix.com/2017/06/15/powershell-find-disabled-or-inactive-users-and-computers-in-ad/
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,
6 people are following this question.