How to create a search for the event(s) associated with an Active Directory user account that was deleted. (4255481)

An administrator needs to find the events associated with an Active Directory user account that was deleted. The Administrator is not able to target the account by browsing the subsystem objects (per KB article: https://support.quest.com/kb/4320868) since the account was already removed.

When an object is deleted in Active Directory the events that are captured are “user changed” and “user object removed” this is because the object is hidden and not actually physically deleted (for 60 days). Follow the steps below to target those Event Classes for a specific account:

1. Open the Change Auditor Client and select the “Search” tab
2. Click "New" in the Button Bar menu to create a new search
3. Select the "When"  tab in the searches properties section at the lower pane. Set the time period you want to search the events for. This is the important criteria to be configured because the deleted user account will be listed if the configured time period matches.
4. Select the “What” tab in the searches properties section at the lower pane
5. Click the “+ Add” button and type “Custom User Monitoring” under the Facility Column this facility includes User Object removed, User Object added, and etc.
6. Click the “Add” button in the lower pane and select "Add all the Events in facility" to move your selection to the parameter section and click "OK"
7. Under the What tab click the drop down arrow to the right of the "+ Add With Events"
8. Select “Subsystem” | “Active Directory” from the context menu
9. Change the Scope: to "This Object"
10. Under Object where it says 'Click here to filter data...' click the A icon and change the filter to 'Contains'
11. Enter all or part of the user account name until you see a corresponding entry in the lower section
12. Click “Add” to move the entry to the filter list below then click “OK”
13. Now run the search

Or alternatively 

1. Under the What tab click the drop-down arrow to the right of the +Add under the “What” tab.
2. Select “Subsystem” | “Active Directory” from the context menu.
3.  Change the Scope: to This Object.
4. Enter all or part of the user name between asterisks in the field to the right of the “LIKE” operator in the lower section
5. Click “Add” to move the entry to the filter list below then click “OK”
6. Now run the search.

To return all events for the deleted user object for a specific time frame:

1. On the What tab click Add
2. Under Event class type User changed or User object removed and click Add
3. Select the Layout tab
4. Under Unselected Columns type Description
5. Click the > arrow to add it to the Selected Columns
6. Run the Search
7. When the results are returned click the 'A' icon under the Description column and select Contains
8. Type the name of the user
9. Double-click the event that shows the original OU for the user
10. In the menu bar in the bottom pane click Related Search and select the User name (second entry from the bottom)