How to Detect Deleted Users in Active Directory

The debate over whether to disable or delete user accounts when employees leave the organization is constant. For accounts that are no longer needed or for inactive users disabling the account temporarily is a recommended approach. This period allows time to monitor for any issues. If no problems arise during this time, the account can be deleted to reduce unnecessary clutter and mitigate any possible security risks.

How to delete an Active Directory user?

• Open Active Directory Users and Computers snap-in.
• Navigate to the respective OU and right-click the user who you wish to delete.
• Choose Delete and confirm the deletion process by clicking Yes in the prompt.

How to delete a user in Active Directory using PowerShell?

Remove-ADUser -Identity "<UserName>"

Replace the <UserName> with the distinguished name or sAMAccountName of the AD user you want to delete.

Manually removing multiple users from Active Directory can be a challenging and error-prone task. It not only consumes valuable time but also increases the risk of accidental deletion. To streamline this process and eliminate the need for repetitive actions, use the following script. It offers an efficient way to delete multiple Active Directory users with ease.

To bulk delete AD users using a CSV file

Import-Csv '<FilePath>' | Foreach-Object {
  Try {
    Get-ADUser $_.SamAccountName -ErrorAction SilentlyContinue | Out-Null
    Remove-ADUser $_.SamAccountName-Confirm:$False
  }
  Catch {
    Write-Host "Username '$_.SamAccountName' not found in Active Directory"
  }
} 

Replace the <FilePath> in the PowerShell script with the path where the CSV file is stored.

Restoring deleted Active Directory users is crucial for recovering accidentally removed user accounts. It ensures uninterrupted user access, avoids workflow disruptions, and prevents downtime.

However, Deleted AD user accounts can only be restored within the tombstone period after deletion. Once this period expires, the object will be permanently removed and cannot be restored. The tombstone lifetime is typically set to 180 days by default but can be modified in Active Directory.

Restore users in Active Directory using ADAC

• Open Active Directory Administrative Center.
• In the left-hand pane, click Deleted Objects under the domain name.
• Right-click on the user and select any of the following options to complete the restoration process.

  Restore: You can use this option to restore the user account to the same Organizational Unit (OU) where it was before deletion.

  Restore to: This option allows you to select a new Organizational Unit as the destination for restoring the user account.

Restore Active Directory users using PowerShell

Restore-ADObject -Identity "<UserName>"

Replace the <UserName> with the distinguished name of the user you wish to restore.

You can use the below cmdlet to get the distinguished name of the AD users.

Get-ADUser -filter * | Select-Object Name, DistinguishedName

It’s vital to check restored users, as they carry the hidden risks of retaining their previous resource permissions.

• You can track the restored users report to identify details such as who restored the users, when it occurred, etc.

• This enables you to quickly detect any unintended actions, such as restoring the wrong users and allowing for immediate corrective measures.

Losing important user accounts in Active Directory can be a major setback, but finding out who deleted them is the real puzzle. It’s not just about recovering lost accounts; it’s about understanding the why and how behind every deletion to maintain security, accountability, and control.

Find out who deleted the Active Directory users using PowerShell

Get-EventLog -LogName Security |
Where-Object {$_.EventID -eq 4726} |
Select-Object -Property EventID, MachineName, TimeGenerated, Source, Message

The above cmdlet retrieves the user deletion event log entry and provides a complete view of the event’s properties. In this output, you can find who deleted the user under Message»Subject

If you are looking for specific information like the time of deletion, who performed the deletion, and the deleted users, you can use the below cmdlet.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4726} |
Select-Object TimeCreated,
  @{Name='DeletedUser'; Expression={($_.Properties[0].Value)}},
  @{Name='DeletedBy'; Expression={($_.Properties[1].Value)}}

The deleted users report provides an audit trail of all user deletions in your organization. It includes details such as who deleted the user, when it occurred, audit status, event logged computer, and more.

Handy Tip: You can easily download the report in your preferred format, such as CSV, PDF, etc., for easy sharing and record-keeping using AdminDroid’s export feature.

In Active Directory, users managing sensitive groups and resources are essential for maintaining security and oversight. Accidental deletion of these users can open the door to unauthorized access and affect the management of critical resources. To prevent security risks and ensure proper access control, it's vital to protect these high-privileged user accounts from unintended deletion.

Protect users from accidental deletion in AD

• Open Active Directory Users and Computers console.
• Right-click the user you wish to protect from deletion and select Properties.
• Go to the Object tab, and check the box labelled “Protect object from accidental deletion”.
• Click Apply to enable protection for the Active Directory user.

Protect a user from deletion using PowerShell

Execute the below PowerShell cmdlet to protect users from unintentional deletion in Active Directory.

Set-ADObject -Identity "<UserName>" -ProtectedFromAccidentalDeletion $true

Replace the <UserName> with the distinguished name of the user you wish to protect.

• The users protected from accidental deletions report provides valuable insights into all users protected within your organization.

• This report offers detailed information about each protected user, including SAM account name, account status, manager, and more.
• It helps you identify critical users who are not yet protected, allowing you to take action and secure their accounts.