Event ID 4720

A user account was created 

A user account was created.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

New Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2

Attributes:
    SAM Account Name:        %9
    Display Name:           %10
    User Principal Name:    %11
    Home Directory:         %12
    Home Drive:             %13
    Script Path:            %14
    Profile Path:           %15
    User Workstations:      %16
    Password Last Set:      %17
    Account Expires:        %18
    Primary Group ID:       %19
    Allowed To Delegate To: %20
    Old UAC Value:          %21
    New UAC Value:          %22
    User Account Control:   %23
    User Parameters:        %24
    SID History:            %25
    Logon Hours:            %26

Additional Information:
    Privileges      %8


This event generates every time a new user object is created.

This event generates on domain controllers, member servers, and workstations.

Auditing:     Always

The creation of user accounts should always be audited on domain controllers, servers and workstations.


Volume:     Low


ISO 27001:2013 A.9.2.1
ISO 27001:2013 A.9.2.5
NIST SP 800-53: AC-2 (4)
NIST 800-171 3.1.1
CMMC v2 L1: AC.L1-3.1.1
PCI 3.2.1: 10.2.5


Microsoft Documentation

Event ID - 4720



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any bSmith
Account Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any DOMAIN\bSmith
Security ID SubjectUserSid %4 Any DOMAIN\TheAdmin
Account Name SubjectUserName %5 Any TheAdmin
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x30dc2
Privileges PrivilegeList %8 Any View Codes
SAM Account Name SamAccountName %9 Any bSmith
Display Name DisplayName %10 Any Bob Smith
User Principal Name UserPrincipalName %11 Any bSmith@domain.local
Home Directory HomeDirectory %12 Any -
Home Drive HomePath %13 Any -
Script Path ScriptPath %14 Any -
Profile Path ProfilePath %15 Any -
User Workstations UserWorkstations %16 Any -
Password Last Set PasswordLastSet %17 Any <never>
Account Expires AccountExpires %18 Any <never>
Primary Group ID PrimaryGroupId %19 Any 513
Allowed To Delegate To AllowedToDelegateTo %20 Any -
Old UAC Value OldUacValue %21 Any 0x0
New UAC Value NewUacValue %22 Any 0x15
User Account Control UserAccountControl %23 Any 'Normal Account' – Enabled
User Parameters UserParameters %24 Any -
SID History SidHistory %25 Any -
Logon Hours LogonHours %26 Any <value not set>

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
ISO 27001:2013 NIST SP 800-53 Audit Success PCI-DSS NIST 800-171 CMMC L1
Audit Category:
Account Management

Audit Subcategory:
User Account Management
Legacy Events:
624

LEFT/RIGHT arrow keys for navigation

Back to List