How to Detect Who Deleted a User Account in Active Directory

We know that Active Directory is one of important part on Company system, For Company that do not have any specific staff to manage this server, they will assign all of staff to do job. This will make susceptible to security breach. So we need to know the activity of this server like "Who Deleted a User Account in Active Directory". I get some tips form Netwrix and Social Technet on Microsoft how to do it.

1. Run GPMC.msc → open “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings:
   • Local Policies → Audit Policy → Audit account management → Define → Success
   • Event Log → Define → Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed.
2. Open ADSI Edit → Connect to Default naming context → right click “DC=domain name” → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click “Add” → Choose the following settings:
   • Principal: Everyone
   • Type: Success
   • Applies to: This object and all descendant objects
   • Permissions: Delete all child objects → Click “OK”.
3. In order to define what user account was deleted and who deleted it filter Security Event Log for Event ID 4726.

Source: www.netwrix.com | Tutorial on You Tube (Link)
Source: social.technet.microsoft.com by Santosh Bhandarkar