Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Windows Event ID 4660 – An Object Was Deleted

Danny Murphy

4660 Event ID

It is essential for an administrator to have complete visibility over all activities taking place in Active Directory. Knowing what is happening on their Active Directory ensures that any suspicious activity relating to potential security threats is identified and responded to immediately.

When an object is deleted in Active Directory, the Event ID 4660 is logged. Auditing must be enabled in the audit policy of the object for deletions by that particular user, or a group they are a member of, to be logged. The deletion of an object triggers both this event, as well as event 4663. As Event Id 4660 does not provide the Object Name, only a Handle Id, it should be monitored in tandem with 4663, which does specify the Object Name, to enable you to track the deletion of files and other Windows objects.

This log data provides the following information:

10 Best Practices for Keeping Active Directory SecureFollow the 10 steps in this whitepaper and you will be in a far better position to keep your AD secure.
Download Whitepaper

Why does Event ID 4660 need to be Monitored?

Monitoring the deletion of objects is important for a number of reasons:

  • It aids in the detection of abnormal and potentially malicious activity
  • It enables you to identify any unauthorized deletions of critical Active Directory objects like users, groups, or computer accounts
  • It supports the prevention of privilege abuse
  • Deleting objects could indicate signs of covering up suspicious activity
  • It ensures compliance with regulatory mandates. Some regulations require that changes to Active Directory are tracked

How Lepide Can Help

An alternative, more straightforward, solution to this native method of monitoring deleted objects is to run the Object Deleted Report from the Lepide Data Security Platform.

The Lepide Active Directory auditing tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including Object Deleted events.

This report is run as follows:

  • Select Lepide Auditor, Reports
  • Select Object Deleted from Active Directory reports
  • Specify a Date Range
  • Select Generate Report

The report is generated and can be filtered, sorted and exported to CSV and PDF format.

Related Articles: