ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer Security log displaying Event ID 4700 user account creation events on a cybersecurity monitoring dashboard
Event ID 4700InformationSecurityWindows

Windows Event ID 4700 – Security: A User Account was Created

Event ID 4700 records when a new user account is created on a Windows system. This security audit event provides detailed information about who created the account, when it was created, and the account properties configured during creation.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4700Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4700 represents a fundamental security audit event that Windows generates each time a user account is successfully created on the system. This event serves as a permanent record in the Security event log, providing forensic-quality information about account creation activities that security teams and auditors frequently review.

The event structure includes detailed fields such as the Subject (who created the account), Target Account (the new account details), and Additional Information sections. The Subject section identifies the user or process that initiated the account creation, including their SID, account name, domain, and logon ID. The Target Account section provides comprehensive details about the newly created account, including its SID, name, domain, and various account attributes.

Windows generates this event regardless of the method used to create the account - whether through Computer Management, Active Directory Users and Computers, PowerShell cmdlets like New-LocalUser or New-ADUser, or command-line tools such as net user. The event timing occurs immediately after successful account creation but before any additional configuration changes are applied.

In domain environments, this event appears on domain controllers when domain accounts are created, while local account creation generates the event on the specific machine where the account was created. The event's presence indicates that the system's audit policy for User Account Management is properly configured and functioning, making it a reliable indicator for security monitoring systems and SIEM solutions.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator or authorized user creating a new local user account through Computer Management console
  • PowerShell commands such as New-LocalUser or New-ADUser being executed
  • Command-line account creation using net user command with /add parameter
  • Automated scripts or applications creating user accounts programmatically
  • Domain administrator creating new domain user accounts in Active Directory
  • System processes creating service accounts or built-in accounts during software installation
  • Group Policy-driven account creation in enterprise environments
  • Third-party identity management systems provisioning new user accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to the Security log to examine the event details:

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by Event ID 4700 using the Filter Current Log option
  4. Double-click on the Event ID 4700 entry to view detailed information
  5. Review the Subject section to identify who created the account
  6. Examine the Target Account section for new account details
  7. Check the Additional Information section for account attributes and flags
  8. Note the timestamp to correlate with other security events if needed

The event details will show the Security ID, Account Name, Account Domain, and Logon ID of both the creator and the newly created account.

02

Query Events Using PowerShell

Use PowerShell to programmatically retrieve and analyze Event ID 4700 occurrences:

# Get recent account creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4700} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message

# Filter events by specific time range
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4700; StartTime=$StartTime; EndTime=$EndTime}

# Extract specific information from event data
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4700} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $EventData = $Event.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        TargetUserName = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        TargetDomain = ($EventData | Where-Object {$_.Name -eq 'TargetDomainName'}).'#text'
    }
}

This approach allows for automated monitoring and reporting of account creation activities across multiple systems.

03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture Event ID 4700 consistently:

  1. Open Group Policy Management Console or run gpedit.msc for local policy
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and locate Audit User Account Management
  4. Configure the policy for both Success and Failure events
  5. Apply the policy and run gpupdate /force to refresh settings

Verify the current audit settings using command line:

# Check current audit policy settings
auditpol /get /category:"Account Management"

# Set audit policy for user account management
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

# Verify the configuration
auditpol /get /subcategory:"User Account Management"

Pro tip: Enable both success and failure auditing to capture unauthorized account creation attempts.

04

Implement Automated Monitoring and Alerting

Set up automated monitoring for Event ID 4700 to detect unauthorized account creation:

  1. Create a PowerShell script for continuous monitoring:
# Create monitoring script
$ScriptBlock = {
    Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4700" -Action {
        $Event = $Event.SourceEventArgs.NewEvent
        $Message = "New user account created: $($Event.InsertionStrings[5]) by $($Event.InsertionStrings[1])"
        Write-EventLog -LogName Application -Source "AccountMonitor" -EventId 1001 -Message $Message -EntryType Information
        # Send email or trigger alert system here
    }
}

# Register the event subscription
Invoke-Command -ScriptBlock $ScriptBlock
  1. Configure Windows Task Scheduler to run monitoring scripts
  2. Set up email notifications or SIEM integration
  3. Create custom event log source for monitoring alerts:
# Create custom event source (run as administrator)
New-EventLog -LogName Application -Source "AccountMonitor"

# Test the custom logging
Write-EventLog -LogName Application -Source "AccountMonitor" -EventId 1001 -Message "Account monitoring initialized" -EntryType Information

Warning: Ensure monitoring scripts have appropriate permissions and error handling to prevent service disruption.

05

Forensic Analysis and Correlation

Perform comprehensive forensic analysis of Event ID 4700 in conjunction with related security events:

  1. Correlate with related events for complete timeline:
# Get comprehensive account management events
$AccountEvents = @(4720, 4722, 4724, 4725, 4726, 4738, 4740, 4767, 4781)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$AccountEvents; StartTime=(Get-Date).AddDays(-1)} | 
    Sort-Object TimeCreated | 
    Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventDescription';Expression={
        switch($_.Id) {
            4720 {'User account was created'}
            4722 {'User account was enabled'}
            4724 {'An attempt was made to reset an account password'}
            4725 {'User account was disabled'}
            4726 {'User account was deleted'}
            4738 {'User account was changed'}
            4740 {'User account was locked out'}
            4767 {'User account was unlocked'}
            4781 {'The name of an account was changed'}
        }
    }}

# Extract and analyze account creation patterns
$CreationEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4700; StartTime=(Get-Date).AddDays(-30)}
$CreationEvents | ForEach-Object {
    $EventXml = [xml]$_.ToXml()
    $EventData = $EventXml.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Creator = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        CreatedAccount = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        Domain = ($EventData | Where-Object {$_.Name -eq 'TargetDomainName'}).'#text'
        WorkstationName = ($EventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
    }
} | Group-Object Creator | Sort-Object Count -Descending
  1. Export findings for compliance reporting:
# Generate compliance report
$Report = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4700; StartTime=(Get-Date).AddDays(-90)} | 
    ForEach-Object {
        $EventXml = [xml]$_.ToXml()
        $EventData = $EventXml.Event.EventData.Data
        [PSCustomObject]@{
            Timestamp = $_.TimeCreated
            CreatedBy = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
            AccountName = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
            AccountSID = ($EventData | Where-Object {$_.Name -eq 'TargetSid'}).'#text'
            Domain = ($EventData | Where-Object {$_.Name -eq 'TargetDomainName'}).'#text'
        }
    }

$Report | Export-Csv -Path "C:\Reports\AccountCreation_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

This comprehensive analysis helps identify patterns, unauthorized activities, and ensures compliance with security policies.

Overview

Event ID 4700 fires whenever a new user account is created on a Windows system, whether through the GUI, PowerShell, or command-line tools. This security audit event appears in the Security log and provides comprehensive details about the account creation process, including who performed the action, the target account name, and various account attributes set during creation.

This event is part of Windows' user account management auditing and requires the 'Audit User Account Management' policy to be enabled. The event captures both local account creation and domain account creation when logged on domain controllers. System administrators rely on this event for security monitoring, compliance reporting, and investigating unauthorized account creation activities.

The event includes critical information such as the Security ID (SID) of both the creator and the new account, account name, domain information, and account flags that indicate the account's initial configuration. Understanding this event is essential for maintaining proper security oversight in Windows environments, particularly in enterprise settings where account creation should follow established procedures.

Frequently Asked Questions

What does Event ID 4700 indicate and why is it important for security monitoring?+
Event ID 4700 indicates that a new user account has been successfully created on the Windows system. This event is crucial for security monitoring because it provides a complete audit trail of account creation activities, including who created the account, when it was created, and the initial account properties. Security teams use this event to detect unauthorized account creation, ensure compliance with account provisioning policies, and investigate potential security breaches. The event captures both the subject (creator) and target account information, making it invaluable for forensic analysis and maintaining proper access control oversight.
How can I distinguish between legitimate and suspicious account creation events in Event ID 4700?+
To distinguish between legitimate and suspicious account creation events, analyze several key factors: First, verify the creator's identity in the Subject section - legitimate creations typically come from authorized administrators or service accounts. Second, examine the timing - account creation outside business hours or in rapid succession may indicate suspicious activity. Third, check the account naming patterns - legitimate accounts usually follow organizational naming conventions, while suspicious accounts may have random or generic names. Fourth, correlate with other events like logon activities (Event ID 4624) to ensure the creator was legitimately authenticated. Finally, review the account attributes and group memberships assigned during creation - suspicious accounts may be granted excessive privileges immediately upon creation.
Why am I not seeing Event ID 4700 in my Security log even though accounts are being created?+
If Event ID 4700 is not appearing in your Security log, the most likely cause is that the audit policy for User Account Management is not enabled. To resolve this, navigate to Group Policy Management and enable 'Audit User Account Management' under Advanced Audit Policy Configuration > Account Management. You can also use the command 'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable' to enable auditing. Additionally, ensure the Security log has sufficient space and is not being overwritten too quickly. In domain environments, verify that the audit policy is properly applied to the target systems and that Group Policy has been refreshed with 'gpupdate /force'.
Can Event ID 4700 help me track service account creation and automated account provisioning?+
Yes, Event ID 4700 effectively tracks service account creation and automated account provisioning. When service accounts are created, the event will show the creating process or service in the Subject section, often displaying system account names or service identities. For automated provisioning systems, you'll see the service account or application identity that performed the creation. To specifically monitor automated account creation, filter events where the Subject UserName contains service account patterns or system identities, and look for rapid account creation patterns that indicate bulk provisioning. You can also correlate these events with application logs from identity management systems to create a complete audit trail of automated account lifecycle management.
How should I configure retention and monitoring for Event ID 4700 in enterprise environments?+
In enterprise environments, configure Event ID 4700 retention and monitoring based on compliance requirements and security policies. Set the Security log size to at least 100MB or larger depending on account creation frequency, and configure log retention for a minimum of 90 days to meet most compliance standards. Implement log forwarding to a central SIEM or log management system to prevent local log overwrites and enable long-term analysis. Set up real-time alerts for Event ID 4700 occurrences, especially during off-hours or when created by non-administrative accounts. Create automated reports that summarize account creation activities weekly and monthly for security reviews. Consider implementing log archiving to meet longer retention requirements, and ensure backup systems include Security event logs for disaster recovery scenarios.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4700 and related account management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including User Account Management auditinghttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4700#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...