The Mi-Token suite uses the built-in services of the AD-LDS database, therefore, the audit trails and operations of this component can be used to query specific events.


To check token deletion events, log into the server with a privileged account where the Mi-Token API or RADIUS Plugin is installed, open the Windows Event Viewer.


Open the Windows Logs folder on the left panel and select Security.



Use the Filter Current Log... window to look for events with Event ID 5141.



The center panel will show the list of events and their details.



To identify the user who deleted the token, check the Subject section of the event log:



To identify what token was deleted, check the DN of the Object section of the event log:



Yubico Yubikeys will show "* Yubikey #######", where * will be replaced by the type of configuration used for the Yubikey, and ###### by the serial number set for the key. This information is also shown on the AD Users and Computers window.



Mobile soft tokens will be shown as "Mobile Soft Token #uuid", where the #uuid will be replaced by the id shown on the AD Users and Computers window:



Deleted Temporary tokens are also identified by a CN=Temporary Tokens, as shown below



The Security log, under event 5141 will show any deletion events related to AD or AD LDS, therefore you may find other events not linked to the Mi-Token instance. Use the customized filter by XML or a PowerShell script to retrieve the information according to your needs.