Hello Experts,
Thanks in advance....
Couple of AD ids were deleted in a span of couple of minutes (combination of Disabled, enabled user from couple of different OUs).
AD security event 4726 Show ID deletion time and account deleted the ids
AD security event 4624 event confims that the account deleted the IDs shown in 4726 event, has logon authenticated events at time of incident from specific computer
So question how can we conclude that the accounts were deleted by user accidently or by some automated mailicious process or program
can we correlate these two events directly?? Wanted to get into the root cause.
Also 4624 event shows
Logon Type 3 – Network in 4624 event.(is it true to say that the user not logged on to the computer interactively from connect keyboard of computer)
Required help in identifying more logon type 3
Thanks.....