ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying Event ID 4763 account deletion audit logs on a security monitoring dashboard
Event ID 4763InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4763 – Microsoft-Windows-Security-Auditing: User Account Deleted

Event ID 4763 fires when a user account is deleted from Active Directory or local computer. This security audit event tracks account deletion activities for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4763Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4763 represents a critical security audit point in Windows environments. When a user account deletion occurs, Windows generates this event to maintain an audit trail of account management activities. The event contains detailed information including the target account name, domain, SID, and the security context of the user who performed the deletion.

This event fires immediately after successful account deletion operations, whether performed through Active Directory Users and Computers, PowerShell cmdlets like Remove-ADUser, or programmatic deletion through LDAP operations. The event appears on the domain controller that processed the deletion request for domain accounts, or on the local machine for local account deletions.

The event structure includes multiple fields that provide comprehensive information about the deletion operation. Key fields include the target account information (name, domain, SID), the subject who performed the deletion (account name, domain, logon ID), and additional attributes like privileges used during the operation. This information proves invaluable during security investigations, compliance audits, and forensic analysis of account management activities.

Understanding this event becomes crucial when investigating potential security incidents involving unauthorized account deletions, tracking administrative activities for compliance purposes, or troubleshooting access issues that might result from accidental account removal.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually deleting user accounts through Active Directory Users and Computers console
  • PowerShell scripts executing Remove-ADUser or Remove-LocalUser cmdlets
  • Automated account cleanup processes removing inactive or expired user accounts
  • Third-party identity management systems performing account lifecycle operations
  • LDAP-based applications or scripts deleting user objects programmatically
  • Exchange management tools removing mailbox-enabled user accounts
  • Bulk account deletion operations during organizational restructuring
  • Security incident response activities removing compromised accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand what account was deleted and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the right pane
  4. Enter 4763 in the Event IDs field and click OK
  5. Double-click on an Event ID 4763 entry to view detailed information
  6. Review the General tab for key details:
    • Target Account Name: The deleted user account
    • Target Domain: Domain or computer name
    • Target SID: Security identifier of deleted account
    • Subject Account Name: Who performed the deletion
    • Subject Domain: Domain of the deleting user
  7. Check the timestamp to correlate with other security events
  8. Note the Logon ID to track the session that performed the deletion
Pro tip: Export filtered results to CSV for analysis by clicking Save Filtered Log File As in the Actions pane.
02

Query Events Using PowerShell

Use PowerShell to programmatically search and analyze Event ID 4763 occurrences across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent account deletion events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetDomainName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        SubjectDomainName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Query multiple domain controllers simultaneously:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Invoke-Command -ComputerName $DC.Name -ScriptBlock {
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763} -MaxEvents 10 -ErrorAction SilentlyContinue
    }
}
Warning: Querying Security logs requires administrative privileges and appropriate audit log access permissions.
03

Correlate with Related Security Events

Investigate related events to build a complete picture of the account deletion activity and identify potential security concerns.

  1. Search for related logon events around the same time:
    $DeletionTime = (Get-Date '2026-03-18 10:30:00')
$TimeWindow = 30 # minutes
$StartTime = $DeletionTime.AddMinutes(-$TimeWindow)
$EndTime = $DeletionTime.AddMinutes($TimeWindow)

# Look for logon events (4624) and logoff events (4634)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634; StartTime=$StartTime; EndTime=$EndTime}
  2. Check for privilege use events (4672, 4673) that might indicate elevated operations:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Message -like '*SeSecurityPrivilege*' -or $_.Message -like '*SeTcbPrivilege*'}
  3. Look for other account management events in the same timeframe:
    # Account management events: 4720 (created), 4722 (enabled), 4725 (disabled), 4726 (deleted)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720,4722,4725,4726,4763; StartTime=$StartTime; EndTime=$EndTime} | Sort-Object TimeCreated
  4. Check for process creation events (4688) to identify tools used:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Message -like '*dsa.msc*' -or $_.Message -like '*powershell*' -or $_.Message -like '*dsrm*'}
  5. Review Group Policy changes (4719) that might affect audit settings:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=$StartTime; EndTime=$EndTime}
Pro tip: Use the LogonId field from Event 4763 to correlate all activities performed during the same logon session.
04

Verify Audit Policy Configuration

Ensure that account management auditing is properly configured to capture all relevant account deletion events.

  1. Check current audit policy settings using auditpol:
    auditpol /get /category:"Account Management"
  2. Verify specific subcategory settings for user account management:
    auditpol /get /subcategory:"User Account Management"
  3. Review Group Policy settings for audit configuration:
    • Open Group Policy Management Console
    • Navigate to the relevant GPO (typically Default Domain Controllers Policy)
    • Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Account Management and verify Audit User Account Management is set to Success and Failure
  4. Check registry settings for audit configuration:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name MaxSize, Retention
  5. Verify Security log size and retention settings:
    $LogConfig = Get-WinEvent -ListLog Security
Write-Host "Maximum Size: $($LogConfig.MaximumSizeInBytes / 1MB) MB"
Write-Host "Current Size: $($LogConfig.FileSize / 1MB) MB"
Write-Host "Is Enabled: $($LogConfig.IsEnabled)"
Write-Host "Log Mode: $($LogConfig.LogMode)"
  6. Test audit policy by creating and deleting a test account:
    # Create test user
New-LocalUser -Name "TestAuditUser" -NoPassword -Description "Test account for audit verification"
# Delete test user
Remove-LocalUser -Name "TestAuditUser"
# Verify events were generated
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720,4763} -MaxEvents 5
Warning: Modifying audit policies affects system performance and log storage requirements. Plan accordingly for increased log volume.
05

Implement Automated Monitoring and Alerting

Set up automated monitoring to detect and alert on suspicious account deletion activities in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Save as Monitor-AccountDeletions.ps1
param(
    [int]$CheckIntervalMinutes = 5,
    [string]$AlertEmail = "admin@company.com",
    [string]$SMTPServer = "mail.company.com"
)

while ($true) {
    $StartTime = (Get-Date).AddMinutes(-$CheckIntervalMinutes)
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763; StartTime=$StartTime} -ErrorAction SilentlyContinue
    
    if ($Events) {
        foreach ($Event in $Events) {
            $EventXML = [xml]$Event.ToXml()
            $TargetUser = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
            $SubjectUser = ($EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
            
            $AlertMessage = "ALERT: User account '$TargetUser' was deleted by '$SubjectUser' at $($Event.TimeCreated)"
            Write-Warning $AlertMessage
            
            # Send email alert (configure SMTP settings)
            # Send-MailMessage -To $AlertEmail -Subject "Account Deletion Alert" -Body $AlertMessage -SmtpServer $SMTPServer
        }
    }
    
    Start-Sleep -Seconds ($CheckIntervalMinutes * 60)
}
  2. Create a scheduled task to run the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-AccountDeletions.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

Register-ScheduledTask -TaskName "Monitor Account Deletions" -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings
  3. Configure Windows Event Forwarding for centralized monitoring:
    • On collector server, run: wecutil qc
    • Create subscription configuration file:
      <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>AccountDeletions</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Account Deletion Events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4763]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
</Subscription>
    • Create the subscription: wecutil cs AccountDeletions.xml
  4. Set up SIEM integration using Windows Event Collector or direct log forwarding:
    # Configure winlogbeat for Elastic Stack integration
# Edit winlogbeat.yml configuration
event_logs:
  - name: Security
    event_id: 4763
    processors:
      - script:
          lang: javascript
          source: |
            function process(event) {
                if (event.Get("winlog.event_id") === 4763) {
                    event.Put("event.category", ["iam"]);
                    event.Put("event.type", ["user", "deletion"]);
                }
            }
Pro tip: Combine Event ID 4763 monitoring with 4720 (account creation) and 4725 (account disabled) for comprehensive account lifecycle tracking.

Overview

Event ID 4763 is a security audit event that fires whenever a user account gets deleted from either Active Directory or the local Security Accounts Manager (SAM) database. This event appears in the Security log and provides detailed information about who deleted the account, when it happened, and which account was removed.

This event fires on domain controllers when AD user accounts are deleted, and on member servers or workstations when local user accounts are removed. The event captures the security identifier (SID) of both the deleted account and the account that performed the deletion, making it valuable for security auditing and compliance tracking.

You'll find this event in environments where user account auditing is enabled through Group Policy. The event provides forensic evidence of account management activities and helps administrators track unauthorized or suspicious account deletions. Modern Windows systems generate this event automatically when the appropriate audit policies are configured.

Frequently Asked Questions

What does Event ID 4763 mean and when does it occur?+
Event ID 4763 indicates that a user account has been successfully deleted from either Active Directory or the local Security Accounts Manager (SAM) database. This event fires immediately after the deletion operation completes and provides detailed audit information including who deleted the account, when it happened, and which account was removed. The event appears in the Security log on domain controllers for AD account deletions or on local machines for local account deletions. This event is crucial for security auditing, compliance tracking, and forensic investigations involving account management activities.
How can I determine who deleted a specific user account using Event ID 4763?+
Event ID 4763 contains detailed information about both the deleted account and the account that performed the deletion. In the event details, look for the 'Subject Account Name' and 'Subject Domain Name' fields, which identify who performed the deletion. The 'Target Account Name' and 'Target Domain Name' fields show which account was deleted. You can also use the 'Subject Logon ID' to correlate with other events from the same logon session. Use PowerShell to extract this information programmatically: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4763} and parse the EventData XML to get specific field values.
Why am I not seeing Event ID 4763 in my Security log?+
Event ID 4763 only appears when account management auditing is properly configured. Check your audit policy settings using 'auditpol /get /subcategory:"User Account Management"' - it should show 'Success and Failure' for comprehensive logging. In Group Policy, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management and ensure it's enabled. Also verify that the Security log has sufficient size and retention settings to store these events. On domain controllers, the Default Domain Controllers Policy typically contains these settings.
Can Event ID 4763 help me recover a deleted user account?+
Event ID 4763 itself cannot recover a deleted account, but it provides valuable information for recovery efforts. The event contains the Security Identifier (SID) of the deleted account, which is crucial for restoring from Active Directory Recycle Bin if enabled. Use 'Get-ADObject -IncludeDeletedObjects -Filter {ObjectGUID -eq "GUID-from-event"}' to locate the deleted object. If AD Recycle Bin isn't enabled, you'll need to restore from a system state backup taken before the deletion. The timestamp in Event 4763 helps identify the appropriate backup to use. The event also shows the exact account name and domain, which assists in recreating the account with proper attributes if restoration isn't possible.
How should I respond to suspicious Event ID 4763 entries indicating unauthorized account deletions?+
First, immediately verify the legitimacy of the deletion by checking with the person identified in the 'Subject Account Name' field. If unauthorized, treat it as a security incident: disable the compromising account, reset passwords, and review all recent activities by that account using their Logon ID. Check for related events like 4624 (logon), 4672 (privilege use), and 4688 (process creation) to understand the attack vector. Examine other account management events (4720, 4722, 4725) to identify additional unauthorized changes. If the deleted account had administrative privileges, perform a comprehensive security review including checking for backdoors, reviewing group memberships, and auditing recent configuration changes. Document all findings for incident response and consider engaging forensic specialists for critical environments.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including account management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies in Windows environmentshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4763#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...