Event ID: 4720A user account was created
A user account was created. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 New Account: Security ID: %3 Account Name: %1 Account Domain: %2 Attributes: SAM Account Name: %9 Display Name: %10 User Principal Name: %11 Home Directory: %12 Home Drive: %13 Script Path: %14 Profile Path: %15 User Workstations: %16 Password Last Set: %17 Account Expires: %18 Primary Group ID: %19 Allowed To Delegate To: %20 Old UAC Value: %21 New UAC Value: %22 User Account Control: %23 User Parameters: %24 SID History: %25 Logon Hours: %26 Additional Information: Privileges %8
This event generates every time a new user object is created.
This event generates on domain controllers, member servers, and workstations.
The creation of user accounts should always be audited on domain controllers, servers and workstations.
ISO 27001:2013 A.9.2.1
ISO 27001:2013 A.9.2.5
NIST SP 800-53: AC-2 (4)
NIST 800-171 3.1.1
PCI 3.2.1: 10.2.5
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User Account Management"
LEFT/RIGHT arrow keys for navigationBack to List