Event ID: 4720

A user account was created

A user account was created.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

New Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2

Attributes:
    SAM Account Name:        %9
    Display Name:           %10
    User Principal Name:    %11
    Home Directory:         %12
    Home Drive:             %13
    Script Path:            %14
    Profile Path:           %15
    User Workstations:      %16
    Password Last Set:      %17
    Account Expires:        %18
    Primary Group ID:       %19
    Allowed To Delegate To: %20
    Old UAC Value:          %21
    New UAC Value:          %22
    User Account Control:   %23
    User Parameters:        %24
    SID History:            %25
    Logon Hours:            %26

Additional Information:
    Privileges      %8
Microsoft Documentation

Event ID - 4720



This event generates every time a new user object is created.

This event generates on domain controllers, member servers, and workstations.



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any UserName
Account Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-6609
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any UserName
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x30dc2
Privileges PrivilegeList %8 Any -
SAM Account Name SamAccountName %9 Any UserName
Display Name DisplayName %10 Any User Name
User Principal Name UserPrincipalName %11 Any UserName@domain.local
Home Directory HomeDirectory %12 Any -
Home Drive HomePath %13 Any -
Script Path ScriptPath %14 Any -
Profile Path ProfilePath %15 Any -
User Workstations UserWorkstations %16 Any -
Password Last Set PasswordLastSet %17 Any %%1794
Account Expires AccountExpires %18 Any %%1794
Primary Group ID PrimaryGroupId %19 Any 513
Allowed To Delegate To AllowedToDelegateTo %20 Any -
Old UAC Value OldUacValue %21 Any 0x0
New UAC Value NewUacValue %22 Any 0x15
User Account Control UserAccountControl %23 Any %%2080 %%2082 %%2084
User Parameters UserParameters %24 Any -
SID History SidHistory %25 Any -
Logon Hours LogonHours %26 Any %%1793


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User account Management"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List