How To Find Who Deleted An AD Object Using Powershell

How to generate a report on details of deleted Active Directory objects

Written by Lakshmi, IT security team, ManageEngine Updated on November 2025

Deleting AD objects generally comes under administrator privileges and therefore in case of a suspicious deletion, it becomes crucial to find the user who initiated the event. Such an unauthorized user can be a terrible risk to the security of the network and the sooner an IT admin can detect them, the lesser will be the damage.

On native AD, even Windows PowerShell cannot on its own produce this report. One will have to use multiple applications before this information can be gained. ADAudit Plus, on the other hand, will fetch you the report in a few quick minutes. This is because ADAudit Plus has several pre-packaged reports that helps you conduct a general audit of the whole network. Apart from Here is a comparison on how to find the user who deleted a computer object using Windows PowerShell and ADAudit Plus.

Using Windows PowerShell

This method uses PowerShell to list the deleted objects, Command Prompt to find more details about the object and finally the Event Viewer to locate the event and the user who initiated it.

• Identify the relevant domain.
• Determine the attributes that you need in the report. For example, the Distinguished Name(DN) , the number of days you want to cover in the query and so on.
• Select the Domain Controller for which you need to generate the report.
• Write the code. A sample code has been appended to the end of this section.
• Compile the script.
• Execute it in Windows PowerShell.
• From the list of deleted computers, select the one you need details for. Copy the Distinguished Name(DN) of the deleted object. The DN will be used to run a command in Command Prompt, which can display more details on the deleted object.
• Open Active Directory Event Viewer and use the data obtained in the previous step to filter through the deletion events to locate the user who deleted the computer object.

Here is a sample script:

Get-Adobject -includedeletedobjects -filter{objectclass -eq "computer" -and isdeleted -eq$true} Copied Click to copy entire script

From the output, copy the DN of the particular deleted object. Then, open Command Prompt and type the following by inserting the name of your DC and DN of the deleted object n the appropriate spaces - repadmin /showobjmeta nameofDC "DN of computer object"

This will give you the date and time of deletion. You can now use the date to filter the events in Active Directory Event Viewer to discover the user who deleted the AD object.

Using ADAudit Plus

• Open ADAudit Plus and go to Reports> Computer Management> Recently Deleted Computers to find a detailed report.
• Select the relevant Domain and OU and click Generate.
• Select Export to export the report in the various available formats(CSV, PDF, HTML, CSVDE and XLSX).

Screenshot:

There are several limitations when using WIndows PowerShell to find the details of a deleted object such as the below:

• PowerShell script can only be run from a computer that has Active Directory Domain Services role in it.
• It becomes necessary to use multiple applications to get the required data in this case.
• To export the output in a different format, the script will have to be modified.
• Applying more filters would increase the complexity of the script.

On the other hand, ADAudit Plus' pre-packaged reports provide the necessary information in just a few clicks. This is because ADAudit Plus has several pre-packaged reports that helps you conduct a general audit of the whole network. Apart from that, there are also custom reports that can be designed to suit your particular security needs.