Windows Event ID 4726 - User Account Deleted
Records when a user account is deleted from the system or Active Directory. Important for tracking account lifecycle, detecting unauthorized deletions, and forensic investigation of cleanup activities after attacks
Quick Facts
Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)
Log Example
Default format: Windows Event Log Format
Example Log Entrylog
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/29/2026 12:00:00 PM
Event ID: 4726
Task Category: User Account Management
Keywords: Audit Success
Computer: DC01.corp.local
Description:
A user account was deleted.
Subject:
Account Name: Administrator
Account Domain: CORP
Logon ID: 0x12345678
Target Account:
Account Name: olduser
Account Domain: CORPStructure:
XML-based binary formatPaths by Platform
Available Formats
Windows Event Log Format
Default
Example:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 1/29/2026 12:00:00 PM
Event ID: 4726
Task Category: User Account Management
Keywords: Audit Success
Computer: DC01.corp.local
Description:
A user account was deleted.
Subject:
Account Name: Administrator
Account Domain: CORP
Logon ID: 0x12345678
Target Account:
Account Name: olduser
Account Domain: CORPStructure:
XML-based binary formatXML Format
Example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"/>
<EventID>4726</EventID>
<Computer>DC01.corp.local</Computer>
</System>
<EventData>
<Data Name="TargetUserName">olduser</Data>
<Data Name="TargetDomainName">CORP</Data>
<Data Name="TargetSid">S-1-5-21-1234567890-1234567890-1234567890-1234</Data>
<Data Name="SubjectUserName">Administrator</Data>
</EventData>
</Event>Structure:
Native XML representationFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
EventID | integer | Event identifier (always 4726) | 4726 |
TimeCreated | datetime | Timestamp when account was deleted | 2026-01-29T12:00:00.123Z |
Computer | string | Computer where deletion occurred | DC01.corp.local |
SubjectUserName | string | Account that deleted the user | Administrator |
SubjectDomainName | string | Domain of deleter account | CORP |
TargetUserName | string | Name of deleted account | olduser |
TargetDomainName | string | Domain of deleted account | CORP |
TargetSid | string | SID of deleted account (for historical correlation) | S-1-5-21-1234567890-1234567890-1234567890-1234 |
Parsing Patterns
Grok Patterns
xml:
<Data Name="TargetUserName">%{DATA:target_username}</Data>.*<Data Name="SubjectUserName">%{DATA:subject_username}</Data>Regular Expressions
xml:
TargetUserName">(?P<target_username>[^<]+)</Data>.*SubjectUserName">(?P<subject_username>[^<]+)</Data>Collector Configurations
splunkyaml
1# Account deletion tracking2index=wineventlog EventCode=47263| table _time, Computer, SubjectUserName, TargetUserName45# Find unusual deleters6index=wineventlog EventCode=4726 NOT SubjectUserName IN (Administrator, hr_admin)7| table _time, SubjectUserName, TargetUserName89# Mass deletion detection10index=wineventlog EventCode=472611| bin _time span=1h12| stats count by _time, SubjectUserName13| where count > 51415# Short-lived accounts16index=wineventlog (EventCode=4720 OR EventCode=4726)17| transaction TargetUserName maxspan=24h18| search EventCode=4720 AND EventCode=4726Configuration
Enable Logging
Enable user account management auditing (same as 4720)
auditpol /set /subcategory:"User Account Management" /success:enableLog To Syslog
Forward via WEF
# Include with account management eventsUse Cases
User offboarding
Track account deletions for HR offboarding
TargetUserName
SubjectUserName
TimeCreated
Troubleshooting
Tested On
vWindows Server 2022 on Windows Server 2022
admin - 2026-01-29
Last updated: 2026-01-29 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!