Recently I noticed that one of our users's account in AD gets deleted a few times during a day like every few hours.
The AD user account was created about 3 months ago and had been working fine till 2 days ago when this issue started to happen. And today the same thing is happening to another user. Both accounts were created at the same time (about 3 months ago). Both accounts in question are using the same ID (Username) as two of our previous staff members who left years ago whose accounts were deleted form AD back then.
Now we are re-using the usernames but those have different SID codes in AD now.
Have enabled auditing for account management on our DC and the the Security logs (Event ID 4726) show "ANONYMOUS LOGON" as the user account deleting AD objects as well as two different computer accounts one being a workstation (I have disabled the computer account in AD upon seeing this log) and one being the DC computer account itself. Disabling the computer account for the workstation has not helped as the account deletion is still happening. Would like to know if there is a way to find out more detail on the account that deletes AD objects, as in if we can IP address of the source machine/user who is deleting these objects in AD.
Thanks