Even though we sync vault accounts to AD, we also allow those accounts
to be deleted manually on the AD side. However, delete events from AD
are blocked so that the vault account remains. For auditing purposes, I
would like to be able to capture the out-of-process AD delete and have
it send me an email. Question is: How would I determine if the event
was initiated from the vault, or by the AD Administrator? I don't see
an AD modifier attribute that tells me who made the change.

johnbirkmeier's Profile: https://forums.netiq.com/member.php?userid=860
View this thread: https://forums.netiq.com/showthread.php?t=48483