Would you like to learn how to filter Windows event logs using Powershell to find who deleted a user account on the domain? In this tutorial, we are going to show you how to find who deleted an account on the Active Directory.
• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11
Equipment list
Here you can find the list of equipment used to create this tutorial.
This link will also show the software list used to create this tutorial.
Related tutorial – PowerShell
On this page, we offer quick access to a list of tutorials related to PowerShell.
Tutorial Powershell – Who deleted a user on the domain
On the domain controller, start an elevated Powershell command line.
List events related to the exclusion of a user account.
Here is the command output.
Display the content of events related to the exclusion of a user account.
Here is the command output.
Display only the content of the event message.
Here is the command output.
Find who deleted user accounts in the last 30 days.
Find who deleted user accounts in a specific time interval.
List events related to the exclusion of a specific user account.
In our example, we filtered based on the event message content.
Congratulations! You are able to find who deleted a user account in the Active Directory using Powershell.