Event ID 4726: A User Account Was Deleted [Fix]
Enable auditing using the ADSI Edit when you get this event ID
5 min. read
Updated on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Key notes
- The event ID 4726 indicates a user account has been deleted from the computer.
- You shouldn't be alarmed if this event ID appears unless the changes were made by a third party.
Some of our readers complain about seeing the Windows security event 4726 in the Domain Controller. The event log indicates A user account was deleted and other details about the recorded event. However, this guide will take you through how to fix the event ID.
Also, you can read about the event ID 7023 error and some fixes to resolve it on Windows 11.
What is event 4726?
Event ID 4726 is a Windows security event that indicates the deletion of a user account. When this event is logged, a user account was removed or deleted from the Windows Active Directory.
This event is typically recorded in the security event log on a Windows domain controller.
By monitoring Event ID 4726, system administrators can keep track of user account deletions in their Windows domain environment and identify any unauthorized or suspicious activities related to user accounts.
What causes the event ID 4726?
Various factors can cause event ID 4726. Here are some common scenarios that may trigger this event:
- Administrative action – An administrator or user with sufficient privileges deliberately deleted the user account using Active Directory tools or PowerShell commands.
- Account expiration – If a user account is to expire on a specific date or after a certain period, it can be automatically deleted by the system when the expiration condition exists.
- Account cleanup – User accounts may sometimes be deleted as part of routine maintenance or cleanup processes. It can be for removing inactive or unused accounts from the Active Directory environment.
- Termination or departure – When an employee leaves an organization, their user account may be deleted to revoke access to network resources and maintain security.
- Malicious activity – In unfortunate cases of unauthorized access or hacking attempts, an attacker with sufficient privileges may delete user accounts to disrupt operations, cover their tracks, or cause harm to the organization.
These factors can vary on different computers. Regardless, we’ll discuss some basic fixes to resolve the problem.
What can I do if I see event ID 4726?
1. Enable auditing using the ADSI Edit
- Press Windows + R keys to open the Run dialog box, type ADSIEdit.msc, and press Enter to open the Active Directory Service Interface (ADSI) console.
- Right-click the ADSI Edit option on the top-left side, then select Connect to from the drop-down.
- In the Connection Settings window, click the Select a well-known Naming Context option and select Default Naming Context in the drop-down menu, then click OK.
- Expand the Default Naming Context option, right-click on DC=www,DC=domain,DC=com, and select Properties from the context menu.
- Go to the Security tab and click Advanced to open the Advanced Security Settings.
- Select the Auditing tab and click Add to add the auditing entry for the users whose actions you want to monitor.
- Then, click the Select a principal option.
- Go to the Enter object name entry and type Everyone, click the Check Names button to verify the name, then click OK.
- On the Auditing Entry window, click the Type option and select All from the drop-down menu.
- Click Applies to and select This object and all descendant objects from the drop-down menu.
- Check the boxes for the following items: Full control, List content, Read all properties, and Read permissions, then click the OK button.
- On the Advanced Security Settings, click the Apply and OK buttons.
- Close the ADSI Edit window.
When you get the event ID 4726, you must track the deleted user and computer accounts. It has to be done by enabling the auditing in Active Directory Service Interface (ADSI).
2. Use Event Viewer to check deleted user accounts and computers in AD
- Left-click Start on the Windows menu, type Event Viewer, and press Enter.
- Now, go to Windows Logs and select Security.
- Search for the event ID 4726 (AD User/Account deleted event ID) and event ID 4743 (Computer account deleted event ID) to identify the user and computer account deletions.
- Then, scroll down to locate the accounts, computer objects, and computer accounts deleted.
Once you have enabled auditing, the Event Viewer will log deleted computer and user objects.
3. Use PowerShell to detect who deleted the account
- Left-click the Windows icon, type PowerShell, and click Run as administrator.
- Then, input the following and press Enter:
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4726} | Select-Object -Property *
- Locate the deleted user account under Message > Subject. The Account Name and security ID of the user that performed the deletion on the target user can be seen.
In conclusion, we have a comprehensive guide on how to clear the event log on Windows computers. Also, read about what event ID 4769 is and how to fix it.
If you have further questions or suggestions, kindly drop them in the comments section.
User forum
0 messages