Account Deleted

Windows 10Windows 7Windows 8Windows 8.1Windows 11Security

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

An attacker may attempt to tidy up after themselves by deleting an account or simply disrupt normal workflow by deleting legitimate accounts.

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4726'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"computer account management"
Disable Logging
auditpol /set /subcategory:"computer account management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable
Language: Powershell
Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es

PCI DSS

Level: Required

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1631643252599

NSA Event Forwarding

Level: Recommended

https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events

Windows 10 Professional logs this by default. To view this log, navigate to the security tab of the Event Viewer. Sort or filter the logs for the event ID 4726.

To view this log from the command line with Get-WinEvent, launch powershell as an administrator. Enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4726'} -MaxEvents 1 | Format-List

To view this log from the command line with wevtutil, launch powershell or the command prompt as an administrator. Enter the command wevtutil qe Security "q:\*[System [(EventID=4726)]]"

Additional References

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor