ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Active Directory management console showing security event logs for computer account deletions
Event ID 4746InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4746 – Microsoft-Windows-Security-Auditing: Computer Account Deleted

Event ID 4746 records when a computer account is deleted from Active Directory. This security audit event tracks administrative actions that remove machine accounts from the domain.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4746Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4746 represents a critical security audit event that documents computer account deletions within Active Directory environments. When a domain administrator or authorized user removes a computer account from the directory, Windows generates this event to maintain an audit trail of the administrative action.

The event fires on the domain controller that processes the deletion request and contains comprehensive details about the operation. Key information includes the target computer account's distinguished name, security identifier (SID), SAM account name, and the security context of the user who initiated the deletion. This data proves invaluable for security investigations, compliance auditing, and tracking unauthorized administrative activities.

Computer account deletions typically occur during planned decommissioning activities, domain cleanup operations, or when removing systems that no longer exist in the network. However, unexpected instances of this event might indicate unauthorized administrative access, malicious activity, or accidental deletions that could impact domain operations.

The event integrates with Windows advanced audit policies and requires proper configuration of object access auditing for computer accounts. Organizations implementing comprehensive security monitoring rely on Event ID 4746 to track changes to their Active Directory computer account inventory and maintain detailed records of administrative actions for regulatory compliance and security analysis purposes.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually deleting computer accounts through Active Directory Users and Computers
  • PowerShell scripts executing Remove-ADComputer cmdlets during cleanup operations
  • Automated decommissioning processes removing obsolete machine accounts
  • Third-party management tools performing bulk computer account deletions
  • Domain controller cleanup operations removing inactive computer accounts
  • Security incidents involving unauthorized deletion of computer accounts
  • Migration processes cleaning up old computer accounts from previous domains
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4746 occurrence to understand what computer account was deleted and by whom.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4746 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: User who deleted the account
    • Target Account: Computer account that was deleted
    • Additional Information: Privileges used for deletion

Use PowerShell to query recent computer account deletions:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4746} -MaxEvents 50 | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Computer';Expression={$_.Properties[5].Value}}
02

Correlate with Computer Account Creation Events

Cross-reference deletion events with creation events to understand the lifecycle of the deleted computer accounts.

  1. Search for corresponding Event ID 4741 (computer account created) entries
  2. Use PowerShell to correlate creation and deletion events:
# Get computer account deletions
$deletions = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4746} -MaxEvents 100

# Get computer account creations
$creations = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4741} -MaxEvents 500

# Correlate by computer name
foreach ($deletion in $deletions) {
    $computerName = $deletion.Properties[5].Value
    $matchingCreation = $creations | Where-Object {$_.Properties[5].Value -eq $computerName} | Select-Object -First 1
    if ($matchingCreation) {
        Write-Output "Computer: $computerName, Created: $($matchingCreation.TimeCreated), Deleted: $($deletion.TimeCreated)"
    }
}
  1. Analyze the time span between creation and deletion to identify patterns
  2. Look for unusually short-lived computer accounts that might indicate suspicious activity
03

Investigate User Context and Permissions

Examine who performed the deletion and verify they had appropriate permissions for the action.

  1. Extract the user information from the event details
  2. Verify the user's group memberships and permissions:
# Get the user who deleted computer accounts
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4746} -MaxEvents 20
foreach ($event in $events) {
    $userName = $event.Properties[1].Value
    $domain = $event.Properties[2].Value
    Write-Output "Checking permissions for: $domain\$userName"
    
    # Check group memberships
    try {
        $user = Get-ADUser -Identity $userName -Properties MemberOf
        $user.MemberOf | ForEach-Object {
            $group = Get-ADGroup -Identity $_
            Write-Output "  Member of: $($group.Name)"
        }
    } catch {
        Write-Warning "Could not retrieve user information for $userName"
    }
}
  1. Review if the user belongs to appropriate administrative groups (Domain Admins, Account Operators)
  2. Check for any recent privilege escalations or unusual administrative access
  3. Verify the deletion was performed during normal business hours and follows change management procedures
04

Analyze Deletion Patterns and Frequency

Examine patterns in computer account deletions to identify potential security concerns or operational issues.

  1. Generate a comprehensive report of deletion activities over time:
# Analyze deletion patterns over the last 30 days
$startDate = (Get-Date).AddDays(-30)
$deletions = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4746; StartTime=$startDate}

# Group by user
$byUser = $deletions | Group-Object {$_.Properties[1].Value} | Sort-Object Count -Descending
Write-Output "Deletions by User:"
$byUser | ForEach-Object {
    Write-Output "$($_.Name): $($_.Count) deletions"
}

# Group by day
$byDay = $deletions | Group-Object {$_.TimeCreated.Date} | Sort-Object Name
Write-Output "`nDeletions by Day:"
$byDay | ForEach-Object {
    Write-Output "$($_.Name): $($_.Count) deletions"
}

# Check for bulk deletions (more than 10 in an hour)
$bulkDeletions = $deletions | Group-Object {$_.TimeCreated.ToString("yyyy-MM-dd HH")} | Where-Object {$_.Count -gt 10}
if ($bulkDeletions) {
    Write-Warning "Potential bulk deletion detected:"
    $bulkDeletions | ForEach-Object {
        Write-Output "$($_.Name): $($_.Count) deletions"
    }
}
  1. Look for unusual spikes in deletion activity
  2. Identify any deletions occurring outside normal maintenance windows
  3. Cross-reference with change management tickets or scheduled maintenance
05

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on suspicious computer account deletion activities.

  1. Create a scheduled task to monitor for Event ID 4746:
# Create monitoring script
$monitorScript = @'
$events = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4746; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue
if ($events) {
    $alertMessage = "Computer account deletion detected:`n"
    foreach ($event in $events) {
        $user = $event.Properties[1].Value
        $computer = $event.Properties[5].Value
        $time = $event.TimeCreated
        $alertMessage += "User: $user deleted computer: $computer at $time`n"
    }
    
    # Send alert (customize based on your alerting system)
    Write-EventLog -LogName Application -Source "AD Monitor" -EventId 1001 -Message $alertMessage -EntryType Warning
}
'@

# Save script to file
$monitorScript | Out-File -FilePath "C:\Scripts\Monitor-ComputerDeletions.ps1" -Encoding UTF8
  1. Configure Windows Event Forwarding to centralize Event ID 4746 from all domain controllers
  2. Set up custom event log filters in your SIEM solution
  3. Create alerts for:
  • Multiple deletions by the same user within a short timeframe
  • Deletions by non-administrative users
  • Deletions occurring outside business hours
  • Bulk deletion operations exceeding normal thresholds
  1. Implement automated backup of computer account information before deletion using PowerShell:
# Backup computer account details before deletion
function Backup-ComputerAccount {
    param([string]$ComputerName)
    
    try {
        $computer = Get-ADComputer -Identity $ComputerName -Properties *
        $backupData = @{
            Name = $computer.Name
            DistinguishedName = $computer.DistinguishedName
            SID = $computer.SID
            Created = $computer.Created
            LastLogonDate = $computer.LastLogonDate
            OperatingSystem = $computer.OperatingSystem
            Description = $computer.Description
        }
        
        $backupPath = "C:\ADBackups\ComputerAccounts\$ComputerName-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
        $backupData | ConvertTo-Json | Out-File -FilePath $backupPath
        Write-Output "Computer account backed up to: $backupPath"
    } catch {
        Write-Error "Failed to backup computer account: $($_.Exception.Message)"
    }
}

Overview

Event ID 4746 fires whenever a computer account gets deleted from Active Directory. This security audit event appears in the Security log on domain controllers and provides crucial tracking for machine account management activities. The event captures who deleted the account, when it happened, and which computer account was removed.

This event is part of Windows advanced audit policy for account management and only appears when object access auditing is enabled for computer accounts. Domain administrators typically see this event during decommissioning processes, cleanup operations, or when removing obsolete machine accounts from the directory.

The event includes detailed information about the deletion operation, including the security identifier of the deleted computer account, the user who performed the deletion, and the domain controller that processed the request. Understanding this event helps maintain proper audit trails for compliance requirements and security monitoring in enterprise environments.

Frequently Asked Questions

What does Event ID 4746 indicate in Windows Active Directory?+
Event ID 4746 indicates that a computer account has been deleted from Active Directory. This security audit event records the administrative action of removing a machine account from the domain, including details about who performed the deletion, when it occurred, and which computer account was removed. The event appears in the Security log on domain controllers and is essential for maintaining audit trails of computer account management activities.
How can I determine who deleted a computer account using Event ID 4746?+
The Event ID 4746 entry contains detailed information about the user who performed the deletion. In Event Viewer, look for the 'Subject' section which shows the Security ID, Account Name, Account Domain, and Logon ID of the user who deleted the computer account. You can also use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4746} | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}. The Properties[1].Value contains the username of the person who performed the deletion.
Why am I not seeing Event ID 4746 in my Security log?+
Event ID 4746 only appears when advanced audit policies are properly configured for computer account management. You need to enable 'Audit Computer Account Management' in Group Policy under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. Additionally, this event only fires on domain controllers, not on member servers or workstations. If auditing is enabled but you're still not seeing events, verify that computer account deletions are actually occurring and check that you're looking at the correct domain controller's Security log.
Can Event ID 4746 help identify unauthorized computer account deletions?+
Yes, Event ID 4746 is crucial for detecting unauthorized computer account deletions. By monitoring these events, you can identify deletions performed by users who shouldn't have administrative privileges, deletions occurring outside normal business hours, or bulk deletion operations that might indicate malicious activity. Set up alerts for unusual patterns such as multiple deletions by the same user, deletions by non-administrative accounts, or deletions of recently created computer accounts. Cross-reference the events with your change management processes to identify unauthorized activities.
How long are Event ID 4746 records retained in the Security log?+
The retention period for Event ID 4746 records depends on your Security log configuration. By default, Windows retains Security log events based on the maximum log size setting and the log retention policy (overwrite as needed, archive when full, or do not overwrite). For compliance and security monitoring purposes, consider increasing the Security log size and implementing log forwarding to a central logging system or SIEM. Many organizations configure log retention for 90 days to 1 year locally, with longer-term storage in centralized systems. You can check your current settings in Event Viewer under Security log Properties or via PowerShell using Get-WinEvent -ListLog Security.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including computer account management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies in Windows environmentshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4746#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...