When an object is deleted in Active Directory the events that are captured are “user changed” and “user object removed” this is because the object is hidden and not actually physically deleted (for 60 days). Follow the steps below to target those Event Classes for a specific account:
- Open the Change Auditor Client and select the “Search” tab
- Click "New" in the Button Bar menu to create a new search
- Select the “What” tab in the report properties section at the bottom
- Click the “Add” button and type “user” in the filter section of the Event Class column
- Select “user changed” and “user object removed”
- Click the “Add” button in the lower pane to move your selection to the parameter section and click "OK
- Under the What tab click the drop-down arrow to the right of the +Add With Events
- Select “Subsystem” | “Active Directory” from the context menu
- Under Object where it says 'Click here to filter data...' click the A icon and change the filter to 'Contains'
- Enter all or part of the user name until you see a corresponding entry in the lower section
- Click “Add” to move the entry to the filter list below then click “OK”
- Now run the search.
Or alternatively
- Under the What tab click the drop-down arrow to the right of the +Add under the “What” tab.
- Select “Subsystem” | “Active Directory” from the context menu.
- Change the Scope: to This Object.
- Enter all or part of the user name between asterisks in the field to the right of the “LIKE” operator in the lower section
- Click “Add” to move the entry to the filter list below then click “OK”
- Now run the search.
To return all events for the deleted user object for a specific time frame:
- On the What tab click Add
- Under Event class type User changed or User object removed and click Add
-
Select the Layout tab
-
Under Unselected Columns type Description
-
Click the > arrow to add it to the Selected Columns
-
Run the Search
-
When the results are returned click the 'A' icon under the Description column and select Contains
-
Type the name of the user
-
Double-click the event that shows the original OU for the user
-
In the menu bar in the bottom pane click Related Search and select the User name (second entry from the bottom)