Sep 17, 2012

Pin point AD object deletion in event log

Ref: Technet blog here

This has been done before object being restored.

  1. Find out DN of the deleted object (using ldifde or adrestore).
    Ldifde –x –d “CN=Deleted Objects,DC=domain,DC=com” –f Deletedobj.ldf
  2. Know when the object was deleted, and on which DC
    Repadmin /Showobjmeta DCname “DN of the deleted object” > Delshowmeta.txt
    In the log, find attribute isDeleted, note the time
  3. Go to the source DC, in security log, find the logs at specific time. Event log IDs are
    630(2k3)/4726(2k8) for user objects
    647(2k3)/4743(2k8) for computer objects