ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying Event ID 4720 account creation logs on a security monitoring dashboard
Event ID 4720InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4720 – Microsoft-Windows-Security-Auditing: User Account Created

Event ID 4720 logs when a new user account is created on Windows systems. This security audit event tracks account creation activities for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4720Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4720 represents one of the most important security audit events in Windows environments. Generated by the Microsoft-Windows-Security-Auditing provider, this event creates a permanent record every time a user account is created, whether through GUI tools, command-line utilities, or programmatic methods.

The event contains comprehensive information about the account creation process, including the Security Identifier (SID) of both the creator and the new account, account attributes set during creation, and the workstation from which the creation was initiated. This granular detail makes it possible to reconstruct exactly what happened during account provisioning processes.

In Active Directory environments, this event fires on domain controllers when new domain accounts are created, while on standalone systems it appears when local accounts are added. The event structure includes fields for account name, domain, user account control flags, and other security-relevant attributes that were configured during account creation.

Security teams rely heavily on this event for detecting unauthorized account creation, monitoring privileged account provisioning, and maintaining compliance with regulations that require detailed audit trails of user access management activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator creating new user accounts through Active Directory Users and Computers console
  • Automated user provisioning systems adding accounts via PowerShell or other scripting tools
  • HR systems integrating with Active Directory to create employee accounts
  • Service account creation for applications and system services
  • Local account creation on workstations or member servers
  • Bulk user import operations using tools like csvde or ldifde
  • Third-party identity management solutions provisioning accounts
  • PowerShell commands using New-ADUser or New-LocalUser cmdlets
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what account was created and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4720 in the Event IDs field and click OK
  5. Double-click on a 4720 event to view detailed information
  6. Review key fields including:
    • Subject: Who created the account
    • New Account: Details of the created account
    • Attributes: Account properties set during creation
    • Additional Information: Privileges and account control flags
Pro tip: Pay attention to the User Account Control field which shows what permissions and restrictions were applied to the new account.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze account creation events across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent account creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. For more detailed analysis, extract specific fields:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        CreatedBy = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        NewAccount = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        Domain = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
  4. Filter events by date range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=$StartTime; EndTime=$EndTime}
Warning: Large Security logs can impact performance. Use date filters and MaxEvents parameter to limit results.
03

Analyze Account Creation Patterns

Investigate unusual account creation patterns that might indicate security issues or process problems.

  1. Create a PowerShell script to analyze creation patterns:
    # Analyze account creation by creator
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 1000
$CreationStats = $Events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Creator = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TimeCreated = $_.TimeCreated
        NewAccount = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object Creator | Sort-Object Count -Descending

$CreationStats | Format-Table Name, Count
  2. Check for after-hours account creation:
    # Find account creation outside business hours (before 8 AM or after 6 PM)
$Events | Where-Object {
    $_.TimeCreated.Hour -lt 8 -or $_.TimeCreated.Hour -gt 18
} | Format-Table TimeCreated, Message -Wrap
  3. Look for rapid account creation (potential bulk operations):
    # Group events by 5-minute intervals to find bulk creation
$Events | Group-Object {$_.TimeCreated.ToString('yyyy-MM-dd HH:mm').Substring(0,16)} | Where-Object {$_.Count -gt 5} | Format-Table Name, Count
04

Cross-Reference with Active Directory Logs

In domain environments, correlate Event ID 4720 with other Active Directory events for complete visibility.

  1. Check Directory Service logs on domain controllers:
    Get-WinEvent -FilterHashtable @{LogName='Directory Service'; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like '*user*create*'}
  2. Query Active Directory for recently created accounts:
    Import-Module ActiveDirectory
$Yesterday = (Get-Date).AddDays(-1)
Get-ADUser -Filter {whenCreated -gt $Yesterday} -Properties whenCreated, CreatedBy | Select-Object Name, whenCreated, DistinguishedName
  3. Compare Security log events with AD creation timestamps:
    # Get both security events and AD data
$SecurityEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=$Yesterday}
$ADUsers = Get-ADUser -Filter {whenCreated -gt $Yesterday} -Properties whenCreated

# Cross-reference the data
foreach ($user in $ADUsers) {
    $matchingEvent = $SecurityEvents | Where-Object {$_.Message -like "*$($user.Name)*"}
    if ($matchingEvent) {
        Write-Host "Match found: $($user.Name) created at $($user.whenCreated)"
    }
}
  4. Check for orphaned security events (events without corresponding AD objects):
    # This might indicate deleted accounts or failed creations
$SecurityEvents | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $accountName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    try {
        Get-ADUser $accountName -ErrorAction Stop
    } catch {
        Write-Warning "Account $accountName from event not found in AD"
    }
}
05

Configure Advanced Monitoring and Alerting

Set up proactive monitoring to detect unauthorized or suspicious account creation activities.

  1. Create a scheduled task to monitor account creation:
    # Create monitoring script
$ScriptContent = @'
$Events = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4720; StartTime=(Get-Date).AddMinutes(-15)} -ErrorAction SilentlyContinue
if ($Events) {
    $Events | ForEach-Object {
        $xml = [xml]$_.ToXml()
        $creator = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "SubjectUserName"} | Select-Object -ExpandProperty "#text"
        $newAccount = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetUserName"} | Select-Object -ExpandProperty "#text"
        Write-EventLog -LogName Application -Source "Account Monitor" -EventId 1001 -Message "New account created: $newAccount by $creator at $($_.TimeCreated)"
    }
}
'@
$ScriptContent | Out-File -FilePath "C:\Scripts\MonitorAccountCreation.ps1"
  2. Register the script as a scheduled task:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\MonitorAccountCreation.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "Monitor Account Creation" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  3. Configure Windows Event Forwarding for centralized monitoring:
    # Create custom event subscription XML
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>AccountCreationMonitoring</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward account creation events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4720]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  4. Set up email alerts for suspicious patterns:
    # Advanced monitoring with email alerts
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=(Get-Date).AddHours(-1)}
if ($Events.Count -gt 10) {
    $Body = "Warning: $($Events.Count) accounts created in the last hour. This may indicate bulk provisioning or suspicious activity."
    Send-MailMessage -To "security@company.com" -From "monitoring@company.com" -Subject "High Volume Account Creation Alert" -Body $Body -SmtpServer "mail.company.com"
}
Pro tip: Consider integrating with SIEM solutions like Microsoft Sentinel or Splunk for advanced correlation and automated response capabilities.

Overview

Event ID 4720 fires whenever a new user account is created on a Windows system, whether locally or in an Active Directory environment. This security audit event is part of Windows' comprehensive account management logging and appears in the Security event log when audit policies for account management are enabled.

The event captures critical details including who created the account, when it was created, the new account's properties, and which system generated the event. This makes it invaluable for security teams tracking user provisioning activities, compliance auditors reviewing access management, and administrators investigating unauthorized account creation.

In enterprise environments, this event typically fires during automated user provisioning processes, manual account creation through Active Directory Users and Computers, or PowerShell-based user management scripts. The event provides a complete audit trail of account creation activities across your Windows infrastructure, making it essential for maintaining security baselines and meeting regulatory compliance requirements.

Frequently Asked Questions

What does Event ID 4720 mean and when does it occur?+
Event ID 4720 is a security audit event that logs whenever a new user account is created on a Windows system. It occurs during any account creation activity, whether through GUI tools like Active Directory Users and Computers, command-line utilities like net user, or PowerShell cmdlets like New-ADUser. The event captures comprehensive details about who created the account, when it was created, and what properties were assigned to the new account. This event is essential for security monitoring, compliance auditing, and tracking user provisioning activities across Windows environments.
How can I tell who created a user account from Event ID 4720?+
Event ID 4720 contains detailed information about the account creator in the 'Subject' section of the event. You can find the creator's username in the 'Subject User Name' field, their domain in the 'Subject Domain Name' field, and their Security ID in the 'Subject Security ID' field. Additionally, the event shows the logon ID and process information of the session that created the account. To extract this information programmatically, use PowerShell to parse the event XML and filter for the 'SubjectUserName' data field, which contains the name of the user who performed the account creation.
Why am I not seeing Event ID 4720 in my Security log?+
Event ID 4720 only appears when audit policies for account management are properly configured. You need to enable 'Audit User Account Management' in your local security policy or Group Policy. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management and set it to 'Success' or 'Success and Failure'. On domain controllers, this policy is typically enabled by default, but on workstations and member servers, you may need to configure it manually. Also ensure that the Security log has sufficient size to retain these events and isn't being cleared frequently.
Can Event ID 4720 help detect unauthorized account creation?+
Yes, Event ID 4720 is excellent for detecting unauthorized account creation when properly monitored. Look for accounts created outside normal business hours, by unexpected users, or in unusual volumes. Set up automated monitoring to alert on account creation by non-administrative users, creation of accounts with elevated privileges, or bulk account creation patterns that don't match your normal provisioning processes. Cross-reference the events with your change management processes and HR systems to identify accounts created without proper authorization. Consider implementing real-time alerting for any account creation events that occur outside your established procedures.
What's the difference between Event ID 4720 and other account-related events?+
Event ID 4720 specifically tracks account creation, while other related events cover different account management activities. Event ID 4722 logs when accounts are enabled, 4725 when accounts are disabled, 4726 when accounts are deleted, and 4738 when account properties are changed. Event ID 4728-4732 cover group membership changes, while 4740 tracks account lockouts. Understanding these distinctions is crucial for comprehensive account management auditing. Event ID 4720 provides the most detailed information about new account creation, including initial account properties, while the other events focus on subsequent modifications to existing accounts. Together, these events provide a complete audit trail of account lifecycle management.
Documentation

References (1)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4720 and account management auditing configuration.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4720#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...