question

RoccoDipaolo-7790 avatar image
0 Votes"
RoccoDipaolo-7790 asked FanFan-MSFT answered

Is there a way to show when a user was deactivated or deleted in AD?

Is there a way to show when a user was deactivated or deleted in AD?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered RoccoDipaolo-7790 commented

You can follow along here to set up the auditing.
https://www.lepide.com/how-to/audit-user-account-changes-in-active-directory.html

--please don't forget to Accept as answer if the reply is helpful--





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you. It looks like the user was deleted quite awhile ago and not found in the event viewer security tab using code 4726 for deleted user. Is there parhaps a powershell command or something that i might be ablke to use?

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

Once the policy: Audit account management was applied , the account change events will be logged.
But it will not log the changes happened before the audit policy.
You can get the disabled or deleted accounts through commands, but can't get more details for them.
For your reference:
https://blog.netwrix.com/2017/06/15/powershell-find-disabled-or-inactive-users-and-computers-in-ad/
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.