An administrator needs to find the events associated with an Active Directory user account that was deleted. The Administrator is not able to target the account by browsing the subsystem objects (per KB article: https://support.quest.com/kb/4320868) since the account was already removed.
When an object is deleted in Active Directory the events that are captured are “user changed” and “user object removed” this is because the object is hidden and not actually physically deleted (for 60 days). Follow the steps below to target those Event Classes for a specific account:
Or alternatively
To return all events for the deleted user object for a specific time frame:
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center