4743 A computer account was deleted
Written when a computer account is deleted. Besides the legitimate operations of a machine leaving the domain or being decommissioned, it captures disruptive deletion.
Overview
The subcategory is Audit Computer Account Management. It is generated when a computer object is deleted, recorded only on domain controllers. Paired with creation 4741, it tracks the machine account’s lifecycle.
How it is triggered
- A machine leaving the domain, deletion of a computer object in AD,
Remove-ADComputer, and so on.
Security review points
- If the computer account of a running server is deleted, that machine’s authentication and domain membership break, impacting availability. Investigate deletion of important machines.
- An attacker may delete a machine account they created temporarily (4741, a foothold for RBCD/noPac) as cleanup. Cross-reference with the creation and change 4742 history.
Notes for log review
- It occurs legitimately during hardware refresh and decommissioning. Check that the deletion target, acting subject, and timing align with operations.
- Treat deletion of important servers’ or domain controllers’ computer accounts at high priority.
Key fields
| Field | Meaning |
|---|---|
Target Computer\Account Name | The deleted computer account |
Subject\Account Name | The subject that performed the deletion |