5141 A directory service object was deleted
Written when an Active Directory object is deleted. It captures deletion of GPOs, OUs, accounts, etc., and together with creation 5137 tracks the AD lifecycle.
Overview
The subcategory is Audit Directory Service Changes. It is generated when an AD object is deleted. It is recorded on domain controllers.
How it is triggered
- Deletion of an AD object such as a user, computer, GPO, OU, or group.
Security review points
- Deleting an important object (a GPO, privileged group, OU, etc.) can impact availability or destroy defenses/configuration. It can occur in the context of an attacker deleting objects involved in monitoring/defense, or erasing traces.
- Check the deleted object and subject. Together with restore 5138, also track the delete-then-revive flow.
Notes for log review
- It occurs during legitimate cleanup and operations. Match the deletion target and subject against normal patterns.
- Confirm deletion of GPO and privilege-related objects at high priority.
Key fields
| Field | Meaning |
|---|---|
Object DN / Class | The deleted object |
Subject\Account Name | The subject that performed the deletion |