ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer Security logs and Active Directory management interface
Event ID 4660InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4660 – Microsoft-Windows-Security-Auditing: Object Deleted

Event ID 4660 logs when an object is deleted from Active Directory or the local security database, providing audit trail for security-sensitive deletions including user accounts, groups, and organizational units.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4660Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4660 represents a fundamental component of Windows security auditing infrastructure, specifically designed to track object deletion activities across Active Directory domains and local systems. When Windows processes an object deletion request, the system first validates permissions, performs the deletion operation, and then generates this audit event to create a permanent record of the action.

The event contains detailed metadata including the Security Identifier (SID) of the deleted object, the distinguished name (DN) if applicable, the user account that initiated the deletion, the process responsible for the operation, and precise timestamp information. This granular detail enables forensic analysis and helps administrators understand the context surrounding object deletions.

Modern Windows environments in 2026 have enhanced this event with additional context fields, including correlation identifiers that link related audit events and improved object classification data. The event integrates seamlessly with Microsoft Sentinel, Azure Monitor, and third-party SIEM solutions for centralized security monitoring.

Organizations typically see Event ID 4660 during routine administrative tasks like user account cleanup, organizational restructuring, or automated provisioning system operations. However, unexpected occurrences may indicate unauthorized access, privilege escalation attempts, or malicious insider activity requiring immediate investigation.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrative deletion of user accounts, groups, or computer objects through Active Directory Users and Computers
  • Automated provisioning systems removing expired or deprovisioned accounts
  • PowerShell scripts or command-line tools executing Remove-ADUser, Remove-ADGroup, or similar cmdlets
  • Third-party identity management solutions performing cleanup operations
  • LDAP applications or custom software deleting directory objects programmatically
  • Group Policy processing removing outdated computer objects during cleanup cycles
  • Exchange Server removing mail-enabled objects during mailbox deletion procedures
  • Malicious actors with elevated privileges attempting to cover tracks by deleting evidence
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4660 to understand what was deleted and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4660 in the Event IDs field and click OK
  5. Double-click on a 4660 event to view detailed information
  6. Review the following key fields in the event details:
    • Subject: Shows who performed the deletion
    • Object: Contains the deleted object's SID and handle information
    • Process Information: Identifies the process that initiated the deletion
  7. Note the timestamp and correlate with other security events if suspicious activity is suspected
Pro tip: Look for patterns in deletion times and user accounts to identify automated processes versus manual administrative actions.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4660 occurrences across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent 4660 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Search for deletions by a specific user account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660} | Where-Object {$_.Message -like "*DOMAIN\username*"} | Select-Object TimeCreated, Message
  4. Export events to CSV for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660} -MaxEvents 1000 | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'}).Split(':')[1].Trim()}}, @{Name='ObjectSID';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Object > Security ID:*'}).Split(':')[1].Trim()}} | Export-Csv -Path "C:\Temp\Event4660_Analysis.csv" -NoTypeInformation
  5. Query events from multiple remote systems:
    $computers = @("DC01", "DC02", "FILESERVER01")
foreach ($computer in $computers) {
    Get-WinEvent -ComputerName $computer -FilterHashtable @{LogName='Security'; Id=4660} -MaxEvents 10 -ErrorAction SilentlyContinue
}
Warning: Querying large Security logs can impact system performance. Use -MaxEvents parameter to limit results and run during maintenance windows.
03

Correlate with Active Directory Recycle Bin

Cross-reference Event ID 4660 with Active Directory Recycle Bin contents to verify legitimate deletions and potentially recover objects.

  1. Enable Active Directory Recycle Bin if not already enabled (requires Windows Server 2008 R2 or later forest functional level):
    Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target (Get-ADForest).Name
  2. List recently deleted objects in the Recycle Bin:
    Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties whenChanged, DisplayName, SamAccountName | Sort-Object whenChanged -Descending
  3. Find specific deleted objects by correlating SIDs from Event 4660:
    $deletedSID = "S-1-5-21-1234567890-1234567890-1234567890-1001"
Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects -Properties objectSid, whenChanged, DisplayName | Where-Object {$_.objectSid -eq $deletedSID}
  4. Restore accidentally deleted objects if necessary:
    Get-ADObject -Filter {Deleted -eq $true -and DisplayName -eq "John Doe"} -IncludeDeletedObjects | Restore-ADObject
  5. Generate a report of deletions with timestamps:
    $report = @()
Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects -Properties whenChanged, DisplayName, ObjectClass, LastKnownParent | ForEach-Object {
    $report += [PSCustomObject]@{
        Name = $_.DisplayName
        ObjectClass = $_.ObjectClass
        DeletedDate = $_.whenChanged
        LastLocation = $_.LastKnownParent
    }
}
$report | Export-Csv -Path "C:\Temp\DeletedObjects_Report.csv" -NoTypeInformation
Pro tip: The Active Directory Recycle Bin retention period is 180 days by default. Objects older than this are permanently deleted and cannot be recovered through standard methods.
04

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on suspicious object deletion patterns using Windows Event Forwarding and custom PowerShell solutions.

  1. Configure Windows Event Forwarding (WEF) to centralize Event ID 4660 collection:
    • On the collector server, run: 
      wecutil qc
    • Create a custom subscription XML file for Event 4660:
      <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Event4660Collection</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Collect Event ID 4660 from domain controllers</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <ConfigurationMode>Normal</ConfigurationMode>
  <Query><![CDATA[
    <QueryList>
      <Query Id="0">
        <Select Path="Security">*[System[EventID=4660]]</Select>
      </Query>
    </QueryList>
  ]]></Query>
</Subscription>
  2. Create a PowerShell monitoring script that runs as a scheduled task:
    # Monitor4660.ps1
$threshold = 10 # Alert if more than 10 deletions in last hour
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660; StartTime=(Get-Date).AddHours(-1)}

if ($events.Count -gt $threshold) {
    $alertMessage = "ALERT: $($events.Count) object deletions detected in the last hour"
    Write-EventLog -LogName Application -Source "Custom Security Monitor" -EventId 9001 -EntryType Warning -Message $alertMessage
    
    # Send email alert (configure SMTP settings)
    Send-MailMessage -To "admin@company.com" -From "security@company.com" -Subject "High Volume Object Deletions Detected" -Body $alertMessage -SmtpServer "mail.company.com"
}
  3. Register the script as a scheduled task:
    $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor4660.ps1"
$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration ([TimeSpan]::MaxValue) -Once -At (Get-Date)
$principal = New-ScheduledTaskPrincipal -UserID "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "Monitor Event 4660" -Action $action -Trigger $trigger -Principal $principal
  4. Create custom Windows Performance Toolkit (WPT) rules for real-time monitoring:
    <!-- Save as Event4660Monitor.xml -->
<Rules>
  <Rule Name="Object Deletion Monitor" Enabled="true">
    <EventLog>Security</EventLog>
    <EventId>4660</EventId>
    <Action Type="Alert">
      <Message>Object deleted: Check for unauthorized activity</Message>
    </Action>
  </Rule>
</Rules>
Warning: High-frequency monitoring can generate significant log volume. Implement log rotation and archival policies to manage storage requirements.
05

Forensic Analysis and Incident Response

Perform comprehensive forensic analysis when Event ID 4660 indicates potential security incidents or unauthorized object deletions.

  1. Create a forensic timeline by correlating multiple event sources:
    # Collect related security events for timeline analysis
$startTime = (Get-Date).AddDays(-7)
$endTime = Get-Date

# Gather authentication events (4624, 4625), privilege use (4672), and object access (4660, 4661, 4662)
$forensicEvents = @(4624, 4625, 4648, 4672, 4660, 4661, 4662)
$timeline = @()

foreach ($eventId in $forensicEvents) {
    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$eventId; StartTime=$startTime; EndTime=$endTime} -ErrorAction SilentlyContinue
    $timeline += $events
}

$timeline | Sort-Object TimeCreated | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={switch($_.Id){4624{'Logon'};4625{'Failed Logon'};4648{'Explicit Logon'};4672{'Privilege Use'};4660{'Object Deleted'};4661{'Handle Requested'};4662{'Object Accessed'};default{'Other'}}}} | Export-Csv -Path "C:\Forensics\SecurityTimeline.csv" -NoTypeInformation
  2. Analyze user behavior patterns around deletion events:
    # Identify users with unusual deletion patterns
$deletionEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660; StartTime=(Get-Date).AddDays(-30)}
$userDeletions = @{}

foreach ($event in $deletionEvents) {
    $message = $event.Message
    $userMatch = [regex]::Match($message, 'Account Name:\s+([^\r\n]+)')
    if ($userMatch.Success) {
        $user = $userMatch.Groups[1].Value.Trim()
        if ($userDeletions.ContainsKey($user)) {
            $userDeletions[$user]++
        } else {
            $userDeletions[$user] = 1
        }
    }
}

$userDeletions.GetEnumerator() | Sort-Object Value -Descending | Select-Object @{Name='User';Expression={$_.Key}}, @{Name='DeletionCount';Expression={$_.Value}} | Export-Csv -Path "C:\Forensics\UserDeletionAnalysis.csv" -NoTypeInformation
  3. Extract and preserve evidence for legal or compliance purposes:
    # Create forensic evidence package
$evidenceDir = "C:\Forensics\Event4660_Investigation_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $evidenceDir -Force

# Export raw event logs
wevtutil epl Security "$evidenceDir\Security_EventLog.evtx" "/q:*[System[EventID=4660]]"

# Generate detailed report
$report = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660; StartTime=(Get-Date).AddDays(-30)} | ForEach-Object {
    $message = $_.Message
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventId = $_.Id
        Computer = $_.MachineName
        User = if ($message -match 'Account Name:\s+([^\r\n]+)') { $matches[1].Trim() } else { 'Unknown' }
        Domain = if ($message -match 'Account Domain:\s+([^\r\n]+)') { $matches[1].Trim() } else { 'Unknown' }
        ObjectSID = if ($message -match 'Object > Security ID:\s+([^\r\n]+)') { $matches[1].Trim() } else { 'Unknown' }
        ProcessName = if ($message -match 'Process Name:\s+([^\r\n]+)') { $matches[1].Trim() } else { 'Unknown' }
        FullMessage = $message
    }
}

$report | Export-Csv -Path "$evidenceDir\Event4660_DetailedReport.csv" -NoTypeInformation

# Create hash verification file
Get-ChildItem $evidenceDir -File | ForEach-Object {
    $hash = Get-FileHash $_.FullName -Algorithm SHA256
    "$($hash.Hash)  $($_.Name)" | Out-File -Append -FilePath "$evidenceDir\SHA256_Hashes.txt"
}
  4. Document findings and create incident response report:
    # Generate executive summary report
$summary = @"
Event ID 4660 Forensic Analysis Summary
Generated: $(Get-Date)
Analysis Period: Last 30 days

Key Findings:
- Total deletion events: $($report.Count)
- Unique users involved: $(($report | Group-Object User).Count)
- Peak deletion time: $(($report | Group-Object {$_.TimeCreated.Hour} | Sort-Object Count -Descending | Select-Object -First 1).Name):00
- Most active user: $(($report | Group-Object User | Sort-Object Count -Descending | Select-Object -First 1).Name)

Recommendations:
1. Review deletion patterns for anomalies
2. Verify all deletions were authorized
3. Implement additional monitoring if suspicious activity detected
4. Consider implementing approval workflows for sensitive object deletions
"@

$summary | Out-File -FilePath "$evidenceDir\Executive_Summary.txt"
Write-Host "Forensic analysis complete. Evidence package created at: $evidenceDir" -ForegroundColor Green
Pro tip: Always preserve original event logs before analysis and maintain chain of custody documentation for legal proceedings. Consider using write-protected storage for forensic evidence.

Overview

Event ID 4660 fires whenever an object is deleted from Active Directory or the local Security Accounts Manager (SAM) database. This security audit event captures critical information about object deletions, including user accounts, computer objects, groups, organizational units, and other directory objects. The event provides essential forensic data for compliance auditing and security investigations.

This event only appears when object access auditing is enabled through Group Policy or local security policy. Windows generates 4660 immediately after a successful deletion operation, recording the security identifier of the deleted object, the user who performed the deletion, and the timestamp. The event appears in the Security log and requires administrative privileges to view.

Understanding Event ID 4660 is crucial for maintaining security baselines, investigating unauthorized deletions, and meeting compliance requirements like SOX, HIPAA, or PCI-DSS. System administrators rely on this event to track changes to critical directory objects and identify potential security incidents involving object manipulation.

Frequently Asked Questions

What does Event ID 4660 mean and when does it occur?+
Event ID 4660 indicates that an object has been successfully deleted from Active Directory or the local Security Accounts Manager (SAM) database. This event occurs immediately after Windows completes a deletion operation for security-sensitive objects like user accounts, groups, computer objects, or organizational units. The event only appears when object access auditing is enabled through Group Policy and provides crucial audit trail information including who performed the deletion, what was deleted (via Security Identifier), and when the deletion occurred. This event is essential for security monitoring, compliance auditing, and forensic investigations.
How do I enable auditing to see Event ID 4660 in my environment?+
To enable Event ID 4660 logging, you must configure object access auditing through Group Policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access, then enable 'Audit Directory Service Access' for domain controllers or 'Audit Object Access' for local systems. Set the policy to audit both Success and Failure events. Additionally, you may need to configure specific object-level auditing (SACL) on sensitive containers or objects. After applying the policy through gpupdate /force, Event ID 4660 will begin appearing in the Security log when objects are deleted. Note that enabling comprehensive auditing can generate significant log volume, so plan for adequate log storage and retention.
Can I recover objects that triggered Event ID 4660 using Active Directory Recycle Bin?+
Yes, if Active Directory Recycle Bin is enabled in your environment, you can potentially recover deleted objects that generated Event ID 4660. The Recycle Bin feature, available since Windows Server 2008 R2, preserves deleted objects for a configurable retention period (default 180 days). Use PowerShell commands like Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects to view deleted objects, and Restore-ADObject to recover them. You can correlate the Security Identifier (SID) from Event 4660 with deleted objects in the Recycle Bin to identify specific items for recovery. However, objects deleted before enabling the Recycle Bin or those exceeding the retention period cannot be recovered through this method and would require authoritative restore from backup.
How can I distinguish between legitimate administrative deletions and potentially malicious activity in Event ID 4660?+
Distinguishing legitimate from malicious deletions requires analyzing patterns and context around Event ID 4660 occurrences. Legitimate deletions typically show predictable patterns: regular business hours, known administrative accounts, correlation with change management tickets, and gradual deletion rates. Suspicious indicators include: deletions outside business hours, unusual user accounts performing deletions, high-volume deletions in short timeframes, deletions of high-privilege accounts or security groups, and deletions immediately following authentication events from unusual locations. Cross-reference Event 4660 with logon events (4624), privilege use events (4672), and failed authentication attempts (4625) to build a complete picture. Implement baseline monitoring to establish normal deletion patterns, then alert on deviations. Consider requiring approval workflows for sensitive object deletions and maintaining detailed change logs.
What PowerShell commands are most effective for analyzing Event ID 4660 across multiple domain controllers?+
For multi-domain controller analysis of Event ID 4660, use Get-WinEvent with remote computer parameters and filtering hashtables. Start with: Get-WinEvent -ComputerName @('DC01','DC02','DC03') -FilterHashtable @{LogName='Security'; Id=4660; StartTime=(Get-Date).AddDays(-7)} to collect events from multiple DCs. For detailed analysis, extract specific fields using regex parsing: $events | ForEach-Object { [PSCustomObject]@{ Time=$_.TimeCreated; User=if($_.Message -match 'Account Name:\s+([^\r\n]+)'){$matches[1].Trim()}; ObjectSID=if($_.Message -match 'Security ID:\s+([^\r\n]+)'){$matches[1].Trim()} } }. Use Invoke-Command for parallel processing across multiple servers: Invoke-Command -ComputerName $DCs -ScriptBlock { Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4660} -MaxEvents 100 }. Export results to CSV for analysis in Excel or import into SIEM tools. Consider using background jobs for large-scale queries to avoid timeout issues.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive Microsoft documentation covering Windows security auditing events, including Event ID 4660 and related object access audit events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial Microsoft guide for configuring advanced audit policies required to generate Event ID 4660 and other security audit events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4660#security-auditing#active-directory

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...