Event ID 4743 - A computer account was deleted

Event ID 4743 - A computer account was deleted

Log Sample

{

 "EventTime": "2017/11/17 04:04:12"

 "Hostname": "CIVDCS-ADC1.changeme.com"

 "Keywords": -9214364837600034816

 "EventType": "AUDIT_SUCCESS"

 "SeverityValue": 2

 "Severity": "INFO"

 "EventID": 4743

 "SourceName": "Microsoft-Windows-Security-Auditing"

 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"

 "Version": 0

 "Task": 13825

 "OpcodeValue": 0

 "RecordNumber": 57853551

 "ProcessID": 528

 "ThreadID": 1208

 "Channel": "Security"

 "Message": "A computer account was deleted."

 "Category": "Computer Account Management"

 "Opcode": "Info"

 "TargetUserName": "CIVVMI-SAGE01$"

 "TargetDomainName": "changeme"

 "TargetSid": "S-1-5-21-1210427511-1310429627-2740863702-32935"

 "SubjectUserSid": "S-1-5-21-1210427511-1310429627-2740863702-1123"

 "SubjectUserName": "ChrisR_ADMIN"

 "SubjectDomainName": "changeme"

 "SubjectLogonId": "0x5fa803"

 "PrivilegeList": "-"

 "EventReceivedTime": "2017/11/17 04:04:12"

 "SourceModuleName": "wineventlog_in"

 "SourceModuleType": "im_msvistalog"

}

Detail Description

Subject:

• Security ID: SID of account that requested the “create Computer object” operation. 
• Account Name: the name of the account that requested the “create Computer object” operation.
• Account Domain: subject’s domain name. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

• Logon ID: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Computer Account (Target):

• Security ID: SID of created computer account.
• Account Name: the name of the computer account that was created. For example: WIN81$
• Account Domain: domain name of created computer account. Formats vary, and include the following:

Domain NETBIOS name example: CONTOSO

Lowercase full domain name: contoso.local

Uppercase full domain name: CONTOSO.LOCAL

Additional Information:

• Privileges: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”.