ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 4722 user account enabled audit logs
Event ID 4722InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4722 – Microsoft-Windows-Security-Auditing: User Account Enabled

Event ID 4722 fires when a user account is enabled in Active Directory or local SAM database. Critical for security auditing and tracking account state changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4722Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4722 represents a fundamental component of Windows security auditing, specifically tracking user account enablement operations. When Windows processes an account enable request, the Local Security Authority (LSA) generates this audit event before committing the change to the account database. This ensures the action is logged even if subsequent operations fail.

The event structure includes critical forensic data: the target account's username and SID, the subject (account performing the action) details, logon ID for session tracking, and timestamp information. For Active Directory environments, the event fires on the domain controller processing the change, while local account changes generate events on the respective workstation or server.

Security teams rely on Event 4722 for several scenarios: detecting bulk account activations that might indicate attack preparation, tracking administrative actions for compliance auditing, and correlating account state changes with other security events. The event integrates with Windows Event Forwarding (WEF) and SIEM solutions for centralized monitoring.

Understanding this event's context is essential because account enablement often precedes other activities. Attackers who gain administrative access might enable dormant accounts for persistence, while legitimate administrators enable accounts for new employees or returning staff. The timing, frequency, and associated accounts provide crucial context for determining whether the activity represents normal business operations or potential security incidents.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually enabling a disabled user account through Active Directory Users and Computers
  • PowerShell scripts or automated processes enabling accounts using Enable-ADAccount or Set-LocalUser cmdlets
  • Group Policy processing that enables accounts based on organizational unit membership
  • Third-party identity management systems enabling accounts through LDAP operations
  • Exchange or other Microsoft services enabling associated service accounts
  • Bulk account operations performed through CSV imports or migration tools
  • Account self-service portals allowing users to reactivate their own accounts
  • Scheduled tasks or workflows enabling accounts based on business rules
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event 4722 details to understand the context and identify the accounts involved.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4722 in the Event IDs field and click OK
  5. Double-click on Event 4722 entries to view detailed information
  6. Review the General tab for basic details and the Details tab for structured data
  7. Note the Subject fields showing who performed the action and Target Account fields showing which account was enabled
  8. Check the Logon ID to correlate with other events from the same session

Pay special attention to the timestamp and whether multiple accounts were enabled in quick succession, which might indicate bulk operations or potential security incidents.

02

Query Events Using PowerShell

Use PowerShell to efficiently query and analyze Event 4722 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent account enable events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific date range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetSid = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} | Export-Csv -Path "C:\Temp\AccountEnabled_Events.csv" -NoTypeInformation
Pro tip: Combine Event 4722 with Event 4720 (account created) and Event 4738 (account changed) to get a complete picture of account lifecycle activities.
03

Investigate Active Directory Account Changes

For domain environments, investigate the Active Directory context of account enablement events.

  1. Open Active Directory Users and Computers from Administrative Tools
  2. Enable Advanced Features from the View menu
  3. Locate the user account mentioned in Event 4722
  4. Right-click the account and select Properties
  5. Check the Account tab to verify current account status
  6. Review the Attribute Editor tab for detailed attribute changes
  7. Use PowerShell to query AD account details:
    Import-Module ActiveDirectory
Get-ADUser -Identity "username" -Properties whenChanged, whenCreated, userAccountControl, lastLogon | Format-List
  8. Check for recent account modifications:
    Get-ADUser -Filter * -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-1)} | Select-Object Name, whenChanged, Enabled
  9. Review group membership changes that might have triggered the enablement:
    Get-ADPrincipalGroupMembership -Identity "username" | Select-Object Name, GroupCategory, GroupScope
  10. Examine replication metadata for the account:
    Get-ADReplicationAttributeMetadata -Object "CN=username,OU=Users,DC=domain,DC=com" -Server "DomainController"
Warning: Always verify that account enablement aligns with your organization's change management processes before taking any corrective action.
04

Correlate with Authentication and Access Events

Analyze Event 4722 in context with related authentication and access events to understand the full scope of account activity.

  1. Query for logon events following account enablement:
    $AccountEnabled = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} -MaxEvents 1
$EnableTime = $AccountEnabled.TimeCreated
$EndTime = $EnableTime.AddHours(24)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$EnableTime; EndTime=$EndTime} | Where-Object {$_.Message -like "*username*"}
  2. Check for privilege escalation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674} | Where-Object {$_.TimeCreated -gt $EnableTime -and $_.Message -like "*username*"}
  3. Look for account management events in sequence:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720,4722,4724,4725,4726,4738} | Sort-Object TimeCreated | Format-Table TimeCreated, Id, Message -Wrap
  4. Examine file and registry access following enablement:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656,4658,4663} | Where-Object {$_.TimeCreated -gt $EnableTime -and $_.Message -like "*username*"} | Select-Object TimeCreated, Id, Message
  5. Create a timeline of related events:
    $Events = @(4720,4722,4724,4725,4726,4738,4624,4625,4672)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$Events; StartTime=$EnableTime.AddHours(-1); EndTime=$EnableTime.AddHours(1)} | Sort-Object TimeCreated | Export-Csv -Path "C:\Temp\AccountActivity_Timeline.csv"

This correlation helps identify whether the account enablement was followed by legitimate business activity or potentially suspicious behavior patterns.

05

Implement Monitoring and Alerting for Account Enablement

Set up proactive monitoring to detect and respond to account enablement events in real-time.

  1. Create a custom Event Viewer view for monitoring:
    • Open Event Viewer and right-click Custom Views
    • Select Create Custom View
    • Choose By log and select Security
    • Enter 4722 in Event IDs field
    • Name the view "Account Enablement Monitoring"
  2. Configure Windows Event Forwarding for centralized collection:
    # On collector server
wecutil qc
wecutil cs subscription.xml
  3. Create a PowerShell monitoring script:
    # AccountEnablementMonitor.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722; StartTime=$LastCheck}
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $TargetUser = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    $SubjectUser = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    
    Write-Host "ALERT: Account $TargetUser enabled by $SubjectUser at $($Event.TimeCreated)" -ForegroundColor Red
    # Add notification logic here (email, webhook, etc.)
}
  4. Schedule the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AccountEnablementMonitor.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
Register-ScheduledTask -TaskName "AccountEnablementMonitor" -Action $Action -Trigger $Trigger -User "SYSTEM"
  5. Configure SIEM integration using Windows Event Forwarding or direct log shipping to your security monitoring platform
Pro tip: Set up different alert thresholds for different account types - service accounts, administrative accounts, and regular user accounts should have different monitoring sensitivity levels.

Overview

Event ID 4722 is a security audit event that fires whenever a user account is enabled in Windows. This event appears in the Security log and is part of Microsoft's comprehensive account management auditing framework. The event triggers when an administrator or automated process changes a user account from disabled to enabled state, whether in Active Directory environments or local SAM databases.

This event is crucial for security monitoring because enabling previously disabled accounts can indicate legitimate administrative actions or potential security incidents. Organizations typically monitor this event to track account lifecycle management, detect unauthorized account activations, and maintain compliance with security policies. The event provides detailed information about who enabled the account, when it occurred, and which account was affected.

Event 4722 fires on domain controllers for AD accounts and on local machines for local user accounts. It's generated immediately when the account state changes and includes contextual information like the security identifier (SID) of both the target account and the account performing the action. This makes it invaluable for forensic investigations and security incident response.

Frequently Asked Questions

What does Event ID 4722 mean and why is it important?+
Event ID 4722 indicates that a user account has been enabled in Windows, either in Active Directory or the local SAM database. This event is crucial for security monitoring because it tracks when previously disabled accounts are reactivated. Security teams monitor this event to detect unauthorized account activations, track administrative actions for compliance, and identify potential security incidents where attackers might enable dormant accounts for persistence or lateral movement.
How can I determine who enabled a user account in Event 4722?+
Event 4722 contains detailed information about both the account that was enabled and who performed the action. In the event details, look for the 'Subject' fields which show the username, domain, and SID of the account that enabled the user. The 'Logon ID' field helps correlate this action with the specific logon session. You can use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4722} | ForEach-Object { $xml = [xml]$_.ToXml(); $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} }
What's the difference between Event 4722 and other account management events?+
Event 4722 specifically tracks account enablement, while other related events cover different account operations: Event 4720 logs account creation, Event 4724 logs password reset attempts, Event 4725 logs account disabling, Event 4726 logs account deletion, and Event 4738 logs account modifications. Understanding these distinctions is crucial for comprehensive account lifecycle monitoring. Event 4722 only fires when an account transitions from disabled to enabled state, not when an already-enabled account is modified.
Can Event 4722 help detect security incidents or attacks?+
Yes, Event 4722 is valuable for detecting several attack scenarios. Attackers who gain administrative access might enable dormant or service accounts for persistence, create backdoors by enabling previously unused accounts, or enable accounts in bulk as preparation for larger attacks. Unusual patterns like multiple accounts enabled simultaneously, accounts enabled outside business hours, or service accounts enabled by non-administrative users can indicate security incidents. Correlating Event 4722 with subsequent authentication events (4624/4625) and privilege use events (4672) provides comprehensive attack detection capabilities.
How should I configure monitoring and alerting for Event 4722?+
Configure Event 4722 monitoring based on your organization's risk profile and account types. For high-privilege accounts, set up real-time alerts for any enablement activity. For regular user accounts, consider alerting on bulk operations or enablement outside business hours. Use Windows Event Forwarding to centralize collection, and integrate with your SIEM for correlation with other security events. Create different alert thresholds: immediate alerts for administrative accounts, daily summaries for regular users, and special monitoring for service accounts. Always include context like who performed the action, when it occurred, and whether it aligns with change management processes.
Documentation

References (1)

1
Microsoft Security Auditing Events DocumentationComprehensive documentation covering Windows security audit events including Event 4722 and related account management events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4722#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...