1. Home
  2. Data Components
  3. Active Directory Object Deletion

Active Directory Object Deletion

Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:

  • User Account: Deleted user.
  • Group: Deleted security/distribution group.
  • Organizational Unit (OU): Loss of configurations or policies.
  • Service Account: Disrupted operations or cover tracks.
  • Trust Object: Removed domain trust, disrupting connectivity.

Data Collection Measures:

  • Audit Policy:
    • Enable "Audit Directory Service Changes" (Success and Failure).
    • Path: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.
    • Key Event: Event ID 5141.
  • Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
  • Enable EDR Monitoring:
    • Detect processes or users that initiate unauthorized object deletions.
    • Monitor tools and scripts that may delete key directory objects.
ID: DC0068
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
WinEventLog:DirectoryService EventCode=4929

Detection Strategy

ID Name Technique Detected
DET0594 Detection of Unauthorized DCSync Operations via Replication API Abuse T1003.006