ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event Viewer showing account deletion events in a modern SOC environment
Event ID 4726InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4726 – Microsoft-Windows-Security-Auditing: User Account Deleted

Event ID 4726 fires when a user account is deleted from Active Directory or local system. Critical security event for tracking account lifecycle and potential unauthorized deletions.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4726Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4726 represents one of the most significant account management events in Windows security auditing. When this event fires, it indicates that a user account has been permanently removed from the system's security database, whether that's the local SAM on a standalone machine or Active Directory in a domain environment.

The event contains comprehensive details including the subject who performed the deletion (with their SID, account name, and domain), the target account that was deleted (including its SID, name, and domain), and the logon ID of the session where the deletion occurred. The SID information is particularly valuable because it uniquely identifies accounts even after deletion, enabling forensic reconstruction of events.

Windows generates this event through the Local Security Authority Subsystem Service (LSASS) when account deletion operations complete successfully. The event fires for all user account types including regular users, service accounts, and computer accounts when deleted through standard Windows interfaces or APIs. It does not fire for accounts that are merely disabled or moved to different organizational units.

In Active Directory environments, this event appears on domain controllers where the deletion was processed. For local accounts, it appears on the specific machine where the account existed. The event timing is synchronous with the actual deletion operation, making it reliable for real-time monitoring and alerting systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually deleting user accounts through Active Directory Users and Computers console
  • PowerShell scripts using Remove-ADUser or Remove-LocalUser cmdlets to delete accounts
  • Command-line tools like net user /delete or dsrm.exe removing user accounts
  • Automated provisioning systems or identity management solutions performing account cleanup
  • Group Policy-driven account deletion processes in enterprise environments
  • Third-party identity management tools executing account lifecycle operations
  • Bulk account deletion operations during organizational restructuring or system migrations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the deletion context:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4726 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4726 in the Event IDs field and click OK
  5. Double-click on a 4726 event to view detailed information including:
    • Subject: Who deleted the account (Account Name, Account Domain, Logon ID)
    • Target Account: Which account was deleted (Account Name, Account Domain, Security ID)
    • Additional Information: Privileges used for the operation
  6. Note the timestamp and correlate with any change management processes or administrative activities
Pro tip: The Security ID (SID) in the Target Account section uniquely identifies the deleted account and can be used to trace its history across multiple events.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze account deletion events programmatically:

  1. Open PowerShell as Administrator
  2. Query recent account deletion events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='DeletedAccount';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Account Name:'} | Select-Object -First 1) -replace '.*Account Name:\s*', ''}}, @{Name='DeletedBy';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Subject:' -A 3} | Where-Object {$_ -match 'Account Name:'} | Select-Object -First 1) -replace '.*Account Name:\s*', ''}}
  3. Export events to CSV for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726} | Select-Object TimeCreated, LevelDisplayName, @{Name='Message';Expression={$_.Message}} | Export-Csv -Path "C:\Temp\AccountDeletions.csv" -NoTypeInformation
  4. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726; StartTime=$StartTime; EndTime=$EndTime}
  5. Search for deletions by specific administrator:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726} | Where-Object {$_.Message -match 'DOMAIN\\AdminUsername'}
Warning: Large Security logs can impact performance. Use -MaxEvents parameter to limit results and consider filtering by time ranges for better performance.
03

Correlate with Active Directory Changes

In domain environments, correlate Event ID 4726 with other Active Directory events for complete context:

  1. Check for related events on domain controllers:
    Get-WinEvent -ComputerName DC01 -FilterHashtable @{LogName='Security'; Id=4726,4728,4729,4732,4733} -MaxEvents 100 | Sort-Object TimeCreated
  2. Query Directory Service log for additional context:
    Get-WinEvent -FilterHashtable @{LogName='Directory Service'} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1) -and $_.Message -match 'delete'}
  3. Use Active Directory PowerShell module to check for recently deleted objects:
    Import-Module ActiveDirectory
Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects -Properties whenChanged,whenCreated,DisplayName | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-1)}
  4. Check the Active Directory Recycle Bin if enabled:
    Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq 'user'} -IncludeDeletedObjects -Properties DisplayName,whenChanged,LastKnownParent
  5. Review Group Policy changes that might trigger automated deletions:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} | Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-1)}
Pro tip: Enable Active Directory Recycle Bin to recover accidentally deleted accounts. Use Enable-ADOptionalFeature cmdlet with the Recycle Bin feature.
04

Implement Monitoring and Alerting

Set up proactive monitoring to detect unauthorized account deletions:

  1. Create a custom Event Viewer view for account deletions:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Set Event level to Information
    • Enter 4726 in Event IDs
    • Select Security from Event logs
    • Name the view "Account Deletions" and save
  2. Configure Windows Event Forwarding (WEF) to centralize events:
    # On collector server
wecutil qc /q
# Create subscription
wecutil cs subscription.xml
  3. Set up PowerShell-based monitoring script:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4726" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    Send-MailMessage -To "admin@company.com" -From "monitoring@company.com" -Subject "Account Deleted" -Body "Account deletion detected: $($Event.Message)" -SmtpServer "mail.company.com"
}
  4. Configure Task Scheduler to run monitoring scripts:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorAccountDeletions.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName "MonitorAccountDeletions" -Action $Action -Trigger $Trigger -RunLevel Highest
Warning: Excessive monitoring can generate alert fatigue. Configure appropriate filters and thresholds based on your organization's normal account management patterns.
05

Forensic Investigation and Recovery

Perform detailed forensic analysis when unauthorized deletions are suspected:

  1. Preserve evidence by exporting relevant events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726; StartTime=(Get-Date).AddDays(-30)}
$Events | Export-Csv -Path "C:\Forensics\AccountDeletions_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  2. Analyze logon sessions associated with deletions:
    # Get logon events for the same session
$LogonId = "0x3e7"  # Extract from 4726 event
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634} | Where-Object {$_.Message -match $LogonId}
  3. Check for privilege escalation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-2) -and $_.TimeCreated -lt (Get-Date).AddMinutes(-5)}
  4. Attempt account recovery from Active Directory Recycle Bin:
    # Find deleted user by SID or name
$DeletedUser = Get-ADObject -Filter {Deleted -eq $true -and SamAccountName -eq 'username'} -IncludeDeletedObjects
# Restore the account
Restore-ADObject -Identity $DeletedUser
  5. Generate comprehensive forensic report:
    $Report = @{
    DeletionEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726; StartTime=(Get-Date).AddDays(-7)}
    RelatedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634; StartTime=(Get-Date).AddDays(-7)}
    PrivilegeUse = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=(Get-Date).AddDays(-7)}
}
$Report | ConvertTo-Json -Depth 3 | Out-File "C:\Forensics\DeletionInvestigation.json"
Pro tip: Document the chain of custody for forensic evidence and maintain detailed logs of all investigation activities for potential legal proceedings.

Overview

Event ID 4726 is a critical security audit event that fires whenever a user account is deleted from either Active Directory or the local Security Accounts Manager (SAM) database. This event appears in the Security log and provides detailed information about who deleted the account, when it occurred, and which account was removed.

The event fires immediately when an administrator uses tools like Active Directory Users and Computers, PowerShell cmdlets, or command-line utilities to delete user accounts. It captures both successful deletions and provides forensic evidence for security investigations. The event includes the Security Identifier (SID) of the deleted account, which remains constant even if account names change, making it invaluable for tracking account lifecycle events.

This event is particularly important in enterprise environments where user account management must be carefully monitored for compliance and security purposes. It helps administrators track unauthorized account deletions, maintain audit trails for regulatory requirements, and investigate potential insider threats or compromised administrative accounts.

Frequently Asked Questions

What does Event ID 4726 mean and when does it occur?+
Event ID 4726 indicates that a user account has been successfully deleted from either Active Directory or the local Security Accounts Manager (SAM) database. It fires immediately when an administrator uses any method to delete a user account, including Active Directory Users and Computers, PowerShell cmdlets like Remove-ADUser, or command-line tools. The event provides detailed information about who performed the deletion, which account was deleted, and when the operation occurred. This is a critical security event for tracking account lifecycle management and detecting unauthorized account removals.
How can I identify who deleted a specific user account?+
The Event ID 4726 contains detailed information about the deletion operation in the 'Subject' section. This includes the Account Name, Account Domain, and Logon ID of the person who performed the deletion. You can use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4726} | Where-Object {$_.Message -match 'DeletedAccountName'} | Select-Object TimeCreated, Message. The event also includes the Security ID (SID) of both the subject who performed the deletion and the target account that was deleted, providing definitive identification even if account names have changed.
Can I recover a user account after seeing Event ID 4726?+
Recovery depends on your environment configuration. In Active Directory environments with the Recycle Bin feature enabled (Windows Server 2008 R2 and later), you can recover deleted accounts using Restore-ADObject cmdlet. First, find the deleted object with Get-ADObject -Filter {Deleted -eq $true} -IncludeDeletedObjects, then restore it using Restore-ADObject -Identity. For local accounts or AD environments without Recycle Bin, recovery is not possible through standard means. You would need to recreate the account, but it will have a different SID and lose all previous permissions and group memberships. This is why implementing proper backup and change management procedures is crucial.
Why am I seeing multiple Event ID 4726 entries for automated systems?+
Multiple 4726 events from automated systems typically indicate legitimate bulk operations such as employee offboarding processes, automated provisioning system cleanup, or scheduled maintenance tasks. These events often originate from service accounts used by identity management systems, HR integration tools, or PowerShell scripts running under scheduled tasks. To distinguish between legitimate and suspicious activity, examine the timing patterns (bulk operations often occur during maintenance windows), the source accounts (service accounts vs. individual admin accounts), and correlate with change management records. You can filter events by specific service accounts using PowerShell to separate automated operations from manual administrative actions.
How should I configure monitoring and alerting for Event ID 4726?+
Implement a layered monitoring approach for Event ID 4726. First, create custom Event Viewer views to easily review deletion events. Set up Windows Event Forwarding (WEF) to centralize events from multiple systems to a collector server. Configure real-time alerting using PowerShell scripts with Register-WmiEvent or third-party SIEM solutions to detect deletions outside business hours or by unauthorized accounts. Establish baseline patterns for normal account deletion activity and alert on deviations. Consider implementing approval workflows where high-privilege account deletions require multiple approvals. For compliance environments, ensure events are forwarded to long-term storage systems and configure automated reporting for audit purposes. Balance sensitivity to avoid alert fatigue while ensuring critical unauthorized deletions are detected promptly.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4726 and related account management events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Recycle Bin OverviewOfficial documentation on enabling and using Active Directory Recycle Bin for account recovery scenarios.https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4726#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...