Would you like to learn how to filter Windows event logs using Powershell to find who deleted a user account on the domain? In this tutorial, we are going to show you how to find who deleted an account on the Active Directory.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Related tutorial – PowerShell

On this page, we offer quick access to a list of tutorials related to PowerShell.

Tutorial Powershell – Who deleted a user on the domain

On the domain controller, start an elevated Powershell command line.

Windows 10 - powershell elevated

List events related to the exclusion of a user account.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Display the content of events related to the exclusion of a user account.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Display only the content of the event message.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Find who deleted user accounts in the last 30 days.

Copy to Clipboard

Find who deleted user accounts in a specific time interval.

Copy to Clipboard

List events related to the exclusion of a specific user account.

Copy to Clipboard

In our example, we filtered based on the event message content.

Congratulations! You are able to find who deleted a user account in the Active Directory using Powershell.