question

nekkuau-6290 avatar image
0 Votes"
nekkuau-6290 asked FanFan-MSFT commented

Local admin user gets deleted every time you sign in to a local user account

PC was transferred from domain to WG.
PC has local admin accounts:
gaadmin
res.local

New user account was created
gauser01

Upon login with res.local everything's fine, multiple restarts, all good.
Upon login with gauser01 (newly created user account) the admin account res.local (local admin account) gets deleted.
Event Viewer doesn't have any 4726 (user account deletion) or 4743 (computer account deletion) events.
See screenshot confirming the profile folder exists, while the account is not present.
Please advise how to track what removes the account.

90493-d198g12.png


windows-10-security
d198g12.png (243.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,

To audit the account deleted event, we need to enable the audit policy: Audit account management on the computer.
Open the local group policy editor:
90435-4231.jpg
Find the audit policy under:
90436-4232.jpg
Then run command: gpupdate /force
Best Regards,



4231.jpg (12.2 KiB)
4232.jpg (100.0 KiB)
4231.jpg (12.2 KiB)
4232.jpg (100.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.