In This Article

Windows Event ID 4660 – An Object Was Deleted

Danny Murphy
| Read Time 2 min read| Published On - July 17, 2024

Last Updated on July 17, 2024 by Satyendra

4660 Event ID

It is essential for an administrator to have complete visibility over all activities taking place in Active Directory. Knowing what is happening on their Active Directory ensures that any suspicious activity relating to potential security threats is identified and responded to immediately.

When an object is deleted in Active Directory, the Event ID 4660 is logged. Auditing must be enabled in the audit policy of the object for deletions by that particular user, or a group they are a member of, to be logged. The deletion of an object triggers both this event, as well as event 4663. As Event Id 4660 does not provide the Object Name, only a Handle Id, it should be monitored in tandem with 4663, which does specify the Object Name, to enable you to track the deletion of files and other Windows objects.

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Logon ID
  • Object Server
  • Handle ID
  • Process ID
  • Transaction ID
10 Best Practices for Keeping Active Directory SecureFollow the 10 steps in this whitepaper and you will be in a far better position to keep your AD secure.
Download Whitepaper

Why does Event ID 4660 need to be Monitored?

Monitoring the deletion of objects is important for a number of reasons:

  • It aids in the detection of abnormal and potentially malicious activity
  • It enables you to identify any unauthorized deletions of critical Active Directory objects like users, groups, or computer accounts
  • It supports the prevention of privilege abuse
  • Deleting objects could indicate signs of covering up suspicious activity
  • It ensures compliance with regulatory mandates. Some regulations require that changes to Active Directory are tracked

How Lepide Can Help

An alternative, more straightforward, solution to this native method of monitoring deleted objects is to run the Object Deleted Report from the Lepide Data Security Platform.

The Lepide Active Directory auditing tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including Object Deleted events.

Object Deleted Report

This report is run as follows:

  • Select Lepide Auditor, Reports
  • Select Object Deleted from Active Directory reports
  • Specify a Date Range
  • Select Generate Report

The report is generated and can be filtered, sorted and exported to CSV and PDF format.

Danny Murphy
Danny Murphy

Danny brings over 10 years’ experience in the IT industry to our Leadership team. With award winning success in leading global Pre-Sales and Support teams, coupled with his knowledge and enthusiasm for IT Security solutions, he is here to ensure we deliver market leading products and support to our extensively growing customer base

Popular Blog Posts