Deleted AD user accounts reappearing
We delete user accounts, but after a while they come back. We have not restored a domain controller; where are these coming back from?
Software/Hardware used:
Windows 2008 R2
Software/Hardware used:
Windows 2008 R2
ASKED:
December 6, 2012 8:05 PM
Answer Wiki:
Well exactly not confirmed but You can perform auditing to determine who may be creating accounts.
There is a policy setting called "audit account management" that you can enable.
The description of the setting is below.
Audit account management
Computer ConfigurationWindows SettingsSecurity SettingsLocal
PoliciesAudit Policy
Description
Determines whether to audit each event of account management on a computer.
Examples of account managment events include:
a.. A user account or group is created, changed, or deleted
b.. A user account is renamed, disabled, or enabled
c.. A password is set or changed
By default, this value is set to No auditing in the Default Domain
Controller Group Policy object (GPO) and in the local policies of
workstations and servers.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not to audit the event type at all. Success
audits generate an audit entry when any account management event is
successful. Failure audits generate an audit entry when any account
management event fails. You can select No auditing by defining the policy
setting and unchecking Success and Failure.
The description of the setting is below.
Audit account management
Computer ConfigurationWindows SettingsSecurity SettingsLocal
PoliciesAudit Policy
Description
Determines whether to audit each event of account management on a computer.
Examples of account managment events include:
a.. A user account or group is created, changed, or deleted
b.. A user account is renamed, disabled, or enabled
c.. A password is set or changed
By default, this value is set to No auditing in the Default Domain
Controller Group Policy object (GPO) and in the local policies of
workstations and servers.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not to audit the event type at all. Success
audits generate an audit entry when any account management event is
successful. Failure audits generate an audit entry when any account
management event fails. You can select No auditing by defining the policy
setting and unchecking Success and Failure.
All Answer Wiki Contributors:
palicos 
100 pts. ,
TomLiotta 107,695 pts. ,
retertrtyry 15 pts. ,
Michael Tidmarsh 11,380 pts.
100 pts. ,
TomLiotta 107,695 pts. ,
retertrtyry 15 pts. ,
Michael Tidmarsh 11,380 pts. To see all answers submitted to the Answer Wiki: View Answer History.
How is your domain structure single domain controller or multiples domain controller. so possibly someone also receive same request for Windows ID creation please check the object creation date / time that will give you better idea about it.