I'm looking to create a CSV report for auditing purposes that shows all Active Directory accounts deleted in the past month. Is there a way to retrieve this information?
1 Answer
If you have the AD Recycle Bin enabled, recovering deleted users is straightforward, as those accounts will be listed there. However, if the Recycle Bin wasn't enabled before the deletions, unfortunately, you won't be able to retrieve them. You could try checking the security logs for deleted user events, but that only works if you had auditing set up in advance. Here's a PowerShell snippet that might help if you're able to access the logs:
```powershell
$eventID = 4726
$startTime = (Get-Date).AddDays(-30)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$eventID; StartTime=$startTime} | ForEach-Object {
$xml = [xml]$_.ToXml()
$userDeleted = $xml.Event.EventData.Data | Where-Object { $_.Name -eq 'TargetUserName' } | Select-Object -ExpandProperty '#text'
Write-Output "User deleted: $userDeleted"
}
```
For sure! But keep in mind that most DCs might not keep logs long enough, so if they’ve been deleted for more than 30 days, you might not find any useful info.