ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows domain controller dashboard showing Active Directory management interface with security audit logs
Event ID 4706InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4706 – Microsoft-Windows-Security-Auditing: Directory Service Object Created

Event ID 4706 logs when a new object is created in Active Directory Domain Services. This security audit event tracks organizational unit, user, group, and computer account creation for compliance monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4706Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4706 represents a fundamental component of Active Directory security auditing, specifically tracking the creation of new directory service objects. This event generates automatically when any process or user creates objects within the Active Directory schema, including organizational units, user accounts, computer accounts, security groups, distribution groups, and custom schema objects.

The event structure includes several critical fields: the Security ID and Account Name of the creator, the Object DN (Distinguished Name) showing exactly what was created, the Object GUID for unique identification, and the Object Class indicating the type of object. The Process ID and Process Name fields reveal which application or service initiated the creation, while the Client Address shows the source IP when the request comes from a remote system.

From a security perspective, Event ID 4706 serves as an early warning system for unauthorized Active Directory modifications. Attackers often create rogue user accounts, security groups, or organizational units to establish persistence or escalate privileges. Security teams monitor 4706 events for unusual creation patterns, objects created outside business hours, or creations by accounts that shouldn't have directory modification rights.

The event also proves invaluable for compliance auditing. Regulations like SOX, HIPAA, and PCI-DSS require organizations to maintain detailed logs of identity and access management changes. Event ID 4706 provides the necessary audit trail to demonstrate who created what objects and when, supporting both internal governance and external audit requirements.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator creating new user accounts through Active Directory Users and Computers
  • Automated provisioning systems creating accounts via PowerShell or LDAP
  • Exchange Server creating mail-enabled objects during mailbox provisioning
  • Third-party identity management solutions synchronizing objects to Active Directory
  • Group Policy creating computer accounts during domain join operations
  • Service accounts being created for application installations
  • Organizational unit restructuring creating new OU containers
  • Security group creation for access control management
  • Schema extensions adding new object classes or attributes
  • Malicious actors creating unauthorized accounts for persistence
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific 4706 event to understand what object was created and by whom.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4706 using the filter option
  4. Double-click the event to view detailed information
  5. Review the Subject section to identify who created the object
  6. Check the Object section for the Distinguished Name and Object Class
  7. Note the Process Information to see which application performed the creation

Use PowerShell to query multiple 4706 events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4706} -MaxEvents 50 | Select-Object TimeCreated, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*',''}}, @{Name='ObjectDN';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Object DN:*'})[0] -replace '.*Object DN:\s*',''}}
02

Analyze Creation Patterns with PowerShell

Investigate unusual creation patterns that might indicate unauthorized activity or system issues.

  1. Query events from the last 24 hours to identify recent creations:
$StartTime = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4706; StartTime=$StartTime}
$Events | ForEach-Object {
    $Message = $_.Message
    $User = ($Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*',''
    $ObjectDN = ($Message -split '\n' | Where-Object {$_ -like '*Object DN:*'})[0] -replace '.*Object DN:\s*',''
    $ObjectClass = ($Message -split '\n' | Where-Object {$_ -like '*Object Class:*'})[0] -replace '.*Object Class:\s*',''
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = $User
        ObjectDN = $ObjectDN
        ObjectClass = $ObjectClass
    }
} | Sort-Object TimeCreated
  1. Group creations by user to identify bulk operations:
$Events | Group-Object User | Sort-Object Count -Descending | Select-Object Name, Count
  1. Filter for specific object types like user accounts:
$Events | Where-Object {$_.ObjectClass -eq 'user'} | Format-Table TimeCreated, User, ObjectDN -AutoSize
03

Cross-Reference with Active Directory Logs

Correlate 4706 events with other Active Directory audit events to build a complete picture of directory changes.

  1. Check for related events that occurred around the same time:
$TargetTime = Get-Date '2026-03-18 14:30:00'
$TimeWindow = 300 # 5 minutes
$StartTime = $TargetTime.AddSeconds(-$TimeWindow)
$EndTime = $TargetTime.AddSeconds($TimeWindow)

# Get related AD events
$RelatedEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4662,4706,4728,4729,4732,4733,4756,4757
    StartTime=$StartTime
    EndTime=$EndTime
} | Sort-Object TimeCreated
  1. Examine Directory Service logs for additional context:
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.LevelDisplayName -eq 'Warning' -or $_.LevelDisplayName -eq 'Error'}
  1. Check the Active Directory Web Services log for LDAP operations:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-ActiveDirectory_WebServices/Operational'; StartTime=$StartTime; EndTime=$EndTime}
Pro tip: Use the Object GUID from the 4706 event to track the same object across multiple event logs and correlate related activities.
04

Investigate Object Creation Source and Context

Determine the source and legitimacy of object creation by analyzing process information and network context.

  1. Extract process information from 4706 events to identify creation tools:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4706} -MaxEvents 100
$Events | ForEach-Object {
    $Message = $_.Message
    $ProcessName = ($Message -split '\n' | Where-Object {$_ -like '*Process Name:*'})[0] -replace '.*Process Name:\s*',''
    $ProcessId = ($Message -split '\n' | Where-Object {$_ -like '*Process ID:*'})[0] -replace '.*Process ID:\s*',''
    $ClientAddress = ($Message -split '\n' | Where-Object {$_ -like '*Client Address:*'})[0] -replace '.*Client Address:\s*',''
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessName = $ProcessName
        ProcessId = $ProcessId
        ClientAddress = $ClientAddress
        User = ($Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*',''
    }
} | Group-Object ProcessName | Sort-Object Count -Descending
  1. Verify the legitimacy of creation processes by checking digital signatures:
# Check common AD management tools
$CommonTools = @(
    'C:\Windows\System32\dsa.exe',
    'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe',
    'C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeADTopology.exe'
)

$CommonTools | ForEach-Object {
    if (Test-Path $_) {
        Get-AuthenticodeSignature $_ | Select-Object Path, Status, SignerCertificate
    }
}
  1. Analyze client addresses for remote creation attempts:
# Identify non-local object creations
$RemoteCreations = $Events | Where-Object {$_.ClientAddress -ne '::1' -and $_.ClientAddress -ne '127.0.0.1' -and $_.ClientAddress -ne '-'}
$RemoteCreations | Group-Object ClientAddress | Sort-Object Count -Descending
Warning: Object creation from unexpected IP addresses or unsigned processes may indicate compromise. Investigate immediately.
05

Configure Advanced Monitoring and Alerting

Set up proactive monitoring to detect suspicious object creation patterns and automate response procedures.

  1. Create a scheduled task to monitor for unusual 4706 patterns:
# Create monitoring script
$MonitoringScript = @'
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4706; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue
if ($Events.Count -gt 10) {
    $Alert = "High volume of AD object creation detected: $($Events.Count) objects in the last hour"
    Write-EventLog -LogName Application -Source "AD Monitor" -EventId 1001 -EntryType Warning -Message $Alert
    # Send email alert here if configured
}
'@

$MonitoringScript | Out-File -FilePath 'C:\Scripts\Monitor-ADCreation.ps1' -Encoding UTF8
  1. Configure Windows Event Forwarding to centralize 4706 events:
# On the collector server, create subscription
wecutil cs ADObjectCreation.xml

Create the subscription XML file:

<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ADObjectCreation</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward AD Object Creation Events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4706]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  1. Set up custom event log filtering for security operations:
# Create custom view in Event Viewer
$CustomViewXML = @'
<ViewerConfig>
    <QueryConfig>
        <QueryParams>
            <UserQuery />
        </QueryParams>
        <QueryNode>
            <Name>AD Object Creation Monitoring</Name>
            <QueryList>
                <Query Id="0" Path="Security">
                    <Select>*[System[EventID=4706]]</Select>
                </Query>
            </QueryList>
        </QueryNode>
    </QueryConfig>
</ViewerConfig>
'@

$CustomViewXML | Out-File -FilePath "$env:USERPROFILE\Desktop\ADObjectCreation.xml"
Pro tip: Integrate 4706 monitoring with your SIEM solution using Windows Event Forwarding or PowerShell-based log shipping for enterprise-scale monitoring.

Overview

Event ID 4706 fires whenever a new object gets created in Active Directory Domain Services. This security audit event captures the creation of organizational units, user accounts, security groups, computer accounts, and other directory objects. The event appears in the Security log on domain controllers when Advanced Audit Policy Configuration has "Audit Directory Service Changes" enabled.

This event provides critical visibility into Active Directory modifications for security monitoring and compliance requirements. Each 4706 event includes the object's distinguished name, the account that performed the creation, and the object class being created. Domain administrators rely on this event to track unauthorized object creation, monitor bulk provisioning operations, and maintain audit trails for regulatory compliance.

The event fires on the domain controller that processes the LDAP creation request. In multi-domain controller environments, you'll see 4706 events on whichever DC handled the specific creation operation. This event works alongside 4662 (directory service access) and 4728-4756 (group membership changes) to provide comprehensive Active Directory audit coverage.

Frequently Asked Questions

What does Event ID 4706 mean and when does it appear?+
Event ID 4706 indicates that a new object has been created in Active Directory Domain Services. This security audit event fires whenever any directory object is created, including user accounts, computer accounts, security groups, organizational units, or custom schema objects. The event appears in the Security log on domain controllers when Advanced Audit Policy Configuration has 'Audit Directory Service Changes' enabled. Each event includes details about what was created, who created it, and which process performed the creation operation.
How can I tell if Event ID 4706 indicates malicious activity?+
Several indicators suggest malicious 4706 activity: object creation outside normal business hours, bulk creation of user accounts by non-administrative users, objects created from unexpected IP addresses, creation by service accounts that shouldn't have directory modification rights, or objects with suspicious naming patterns. Cross-reference the creating user account with your change management records and verify that the Process Name field shows legitimate Active Directory management tools. Unsigned or unknown processes creating objects warrant immediate investigation.
Why am I seeing multiple 4706 events for the same object creation?+
Multiple 4706 events for a single object creation typically occur in multi-domain controller environments where replication generates additional audit events, or when the creation process involves multiple steps. For example, creating a mail-enabled user might generate separate events for the user object creation and the mail attribute assignment. Exchange Server installations often create multiple related objects simultaneously. Check the Object GUID field to determine if events refer to the same object or different related objects created as part of a single operation.
How do I configure auditing to generate Event ID 4706?+
Enable Event ID 4706 through Advanced Audit Policy Configuration. Run 'auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable' from an elevated command prompt on domain controllers. Alternatively, configure via Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → DS Access → Audit Directory Service Changes. Set to 'Configure the following audit events' and check both Success and Failure. The policy applies after the next Group Policy refresh or system restart.
Can Event ID 4706 help with compliance auditing requirements?+
Yes, Event ID 4706 provides essential audit trails for compliance frameworks like SOX, HIPAA, PCI-DSS, and ISO 27001. The event documents who created directory objects, when they were created, and from which system, supporting identity and access management audit requirements. Maintain these logs according to your compliance retention policies, typically 3-7 years. Export events to secure, tamper-evident storage and ensure log integrity through digital signatures or blockchain-based solutions. Regular review of 4706 events demonstrates due diligence in access control monitoring.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit Policy SettingsOfficial documentation covering Advanced Audit Policy Configuration including Directory Service Changes auditing that generates Event ID 4706.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
2
Microsoft Security Compliance ToolkitMicrosoft's official security baseline configurations including recommended audit policy settings for domain controllers.https://www.microsoft.com/en-us/download/details.aspx?id=55319
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4706#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...