As opposed to???
If you think the deletion occurred within the tombstone
lifetime period, you can query the deleted objects container for the user. You
can do that with LDP or adfind. With LDP you check in the control, with adfind
you add -showdel and make sure you have perms to see into
Chris Pohlschneider wrote:
Is there a way to tell if a user account has been deleted?
Active Directory Users computers, ADSIEDit.exe, ldp.exe, adfind.exe -
couple more. Repadmin.exe also can be used.
--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
by, you really cannot find it anymore when querying AD
;-)
jorge
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
PohlschneiderSent: Friday, October 06, 2006 14:34To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account
deletion
Is
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off
