Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

Tracking the ID deletion from which user, workstation and process.

$
0
0

Hello Experts,

Thanks in advance....

Couple of AD ids were deleted in a span of couple of minutes (combination of Disabled, enabled user from couple of different OUs).

AD security event 4726 Show ID deletion time and account deleted the ids

AD security event 4624 event confims that the account deleted the IDs shown in 4726 event, has logon authenticated events at time of incident from specific computer

So question how can we conclude that the accounts were deleted by user accidently or by some automated mailicious process or program

can we correlate these two events directly?? Wanted to get into the root cause.

Also 4624 event shows

Logon Type 3 – Network in 4624 event.(is it true to say that the user not logged on to the computer interactively from connect keyboard of computer)

Required help in identifying more logon type 3

Thanks.....


Viewing all articles
Browse latest Browse all 31638

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>