ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with security audit logs for account management events
Event ID 4755InformationSecurityWindows

Windows Event ID 4755 – Security: User Account Enabled

Event ID 4755 logs when a user account is enabled in Active Directory or local security database. This security audit event tracks account management activities for compliance and monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4755Security 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4755 represents a fundamental security audit event that tracks user account enablement across Windows environments. When any user account transitions from disabled to enabled state, the Local Security Authority (LSA) subsystem generates this event and writes it to the Security event log.

The event structure includes critical forensic data: the target account name and domain, the subject who performed the action, logon session details, and timestamp information. This granular logging helps security teams track account lifecycle management and detect unauthorized account manipulations.

In Active Directory environments, domain controllers generate Event ID 4755 when administrators use tools like Active Directory Users and Computers, PowerShell's Enable-ADAccount cmdlet, or third-party identity management systems to enable user accounts. Local systems produce this event when local user accounts get enabled through Computer Management, net user commands, or programmatic interfaces.

The event proves particularly valuable during security incidents where attackers might enable dormant accounts for persistence. Security teams can correlate Event ID 4755 with logon events (4624) to identify suspicious account activation patterns. Modern SIEM solutions parse these events to create automated alerts when high-privilege accounts get enabled outside normal business hours.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually enabling a disabled user account through Active Directory Users and Computers
  • PowerShell scripts using Enable-ADAccount or Set-ADUser cmdlets to enable domain accounts
  • Local account enablement via Computer Management console or net user commands
  • Automated identity management systems re-enabling accounts based on HR workflows
  • Group Policy processing that modifies account states during system startup
  • Third-party identity governance tools performing bulk account operations
  • Service accounts being enabled after maintenance windows or system updates
  • Malicious actors enabling dormant accounts for persistence or privilege escalation
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4755 entry to understand what account was enabled and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and clicking OK
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4755 in the Event IDs field and click OK
  5. Double-click the Event ID 4755 entry to view details
  6. Review the following key fields:
    • Subject: Shows who enabled the account (Account Name, Account Domain, Logon ID)
    • Target Account: Displays the enabled account details (Account Name, Account Domain, Security ID)
    • Additional Information: Contains privileges used for the operation

The event description will show exactly which account was enabled and provide the security context of the operation.

02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4755 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent account enablement events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data[1].'#text'
        SubjectDomainName = $Event.Event.EventData.Data[2].'#text'
        TargetUserName = $Event.Event.EventData.Data[4].'#text'
        TargetDomainName = $Event.Event.EventData.Data[5].'#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755} | Export-Csv -Path "C:\Temp\AccountEnabled_Events.csv" -NoTypeInformation
03

Investigate Account Status in Active Directory

Verify the current state of the enabled account and review its properties for security assessment.

  1. Open Active Directory Users and Computers from Administrative Tools
  2. Navigate to the organizational unit containing the target account
  3. Right-click the user account and select Properties
  4. Check the Account tab to verify current account status
  5. Review account properties for suspicious changes:
    • Last logon time and workstation
    • Account expiration settings
    • Group memberships and delegated permissions
    • Password last set date
  6. Use PowerShell to get comprehensive account details:
    Get-ADUser -Identity "username" -Properties * | Select-Object Name, Enabled, LastLogonDate, PasswordLastSet, MemberOf, AccountExpirationDate
  7. Check for recent account modifications:
    Get-ADUser -Identity "username" -Properties whenChanged, whenCreated | Select-Object Name, whenCreated, whenChanged
  8. Review group membership changes:
    Get-ADPrincipalGroupMembership -Identity "username" | Select-Object Name, GroupScope, GroupCategory
Pro tip: Cross-reference the enablement time with other security events like 4728 (member added to group) to detect privilege escalation attempts.
04

Correlate with Authentication Events

Analyze authentication patterns following account enablement to detect unauthorized access attempts.

  1. Search for logon events after account enablement:
    $EnableTime = (Get-Date "2026-03-18 10:30:00")
$SearchEnd = $EnableTime.AddHours(24)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$EnableTime; EndTime=$SearchEnd} | Where-Object {$_.Message -like "*username*"}
  2. Check for failed logon attempts before enablement:
    $SearchStart = $EnableTime.AddHours(-24)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=$SearchStart; EndTime=$EnableTime} | Where-Object {$_.Message -like "*username*"}
  3. Review logon types and source workstations:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | ForEach-Object {
    $Event = [xml]$_.ToXml()
    if ($Event.Event.EventData.Data[5].'#text' -eq "username") {
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            LogonType = $Event.Event.EventData.Data[8].'#text'
            WorkstationName = $Event.Event.EventData.Data[11].'#text'
            SourceIP = $Event.Event.EventData.Data[18].'#text'
        }
    }
}
  4. Generate a timeline report:
    $Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755} | Where-Object {$_.Message -like "*username*"}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -like "*username*"}
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, Message -Wrap
Warning: Immediate logon activity after account enablement, especially from unusual locations or outside business hours, may indicate compromise.
05

Implement Monitoring and Alerting

Set up proactive monitoring to detect unauthorized account enablement activities in real-time.

  1. Create a custom Event Viewer view for Event ID 4755:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Select By log and check Security
    • Enter 4755 in Event IDs field
    • Name the view "Account Enablement Events" and save
  2. Configure Windows Event Forwarding for centralized logging:
    # On collector server
wecutil qc
wecutil cs subscription.xml
  3. Create a PowerShell monitoring script:
    # Monitor-AccountEnablement.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
$NewEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4755; StartTime=$LastCheck}

foreach ($Event in $NewEvents) {
    $EventXML = [xml]$Event.ToXml()
    $TargetUser = $EventXML.Event.EventData.Data[4].'#text'
    $SubjectUser = $EventXML.Event.EventData.Data[1].'#text'
    
    # Send alert for high-privilege accounts
    if ($TargetUser -match "admin|service|sql") {
        Send-MailMessage -To "security@company.com" -Subject "High-Privilege Account Enabled" -Body "Account $TargetUser enabled by $SubjectUser at $($Event.TimeCreated)"
    }
}
  4. Schedule the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-AccountEnablement.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
Register-ScheduledTask -TaskName "MonitorAccountEnablement" -Action $Action -Trigger $Trigger
  5. Configure audit policy to ensure Event ID 4755 generation:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
Pro tip: Integrate with SIEM solutions like Microsoft Sentinel or Splunk for advanced correlation and automated response capabilities.

Overview

Event ID 4755 fires whenever a user account gets enabled in Windows, whether through Active Directory Users and Computers, PowerShell commands, or programmatic changes. This security audit event appears in the Security log and provides crucial information about who enabled the account, when it happened, and which account was affected.

The event captures both domain and local account enablement activities. When a disabled user account gets re-enabled, Windows generates this event to maintain an audit trail of account management operations. This proves essential for security compliance frameworks like SOX, HIPAA, and PCI-DSS that require detailed logging of privileged account activities.

Domain controllers log this event when administrators enable domain user accounts, while member servers and workstations generate it for local account changes. The event includes the security identifier (SID) of both the target account and the account performing the action, making it valuable for forensic investigations and access reviews.

Frequently Asked Questions

What does Event ID 4755 mean and when does it occur?+
Event ID 4755 indicates that a user account has been enabled in Windows. This security audit event fires whenever an account transitions from disabled to enabled state, whether it's a domain account managed through Active Directory or a local account on a standalone system. The event captures who performed the action, which account was enabled, and when it occurred. This is crucial for maintaining audit trails of account management activities and detecting unauthorized account manipulations that could indicate security breaches or insider threats.
How can I determine who enabled a user account using Event ID 4755?+
The Event ID 4755 entry contains detailed information about both the subject (who performed the action) and the target account. In the event details, look for the 'Subject' section which shows the Account Name, Account Domain, and Logon ID of the person who enabled the account. You can also use PowerShell to extract this information programmatically by parsing the event XML data. The SubjectUserName and SubjectDomainName fields specifically identify who initiated the account enablement operation, making it easy to track accountability for account management actions.
Should I be concerned about Event ID 4755 appearing in my security logs?+
Event ID 4755 itself is not inherently concerning as it's a normal part of account lifecycle management. However, you should investigate if the enablement occurs outside normal business processes, involves high-privilege accounts, happens outside business hours, or is followed immediately by suspicious logon activity. Pay particular attention to service accounts, administrative accounts, or dormant user accounts being enabled unexpectedly. Correlate these events with authentication logs (Event IDs 4624/4625) to identify potential security incidents where attackers might be enabling accounts for persistence or privilege escalation.
How do I configure Windows to generate Event ID 4755 for account management auditing?+
To ensure Event ID 4755 is generated, you need to enable User Account Management auditing in your audit policy. Use the command 'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable' to configure this setting. In Group Policy environments, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management and enable 'Audit User Account Management' for both success and failure events. This ensures comprehensive logging of all account enablement activities across your Windows environment.
Can Event ID 4755 help detect security breaches or insider threats?+
Yes, Event ID 4755 is valuable for detecting security breaches and insider threats. Attackers often enable dormant or service accounts to maintain persistence in compromised environments. Monitor for unusual patterns such as accounts being enabled outside business hours, high-privilege accounts activated without proper change management approval, or enablement followed by immediate authentication from unusual locations. Create automated alerts for critical account enablements and establish baselines for normal account management activities. Correlating Event ID 4755 with other security events like failed logons (4625) before enablement or privilege escalation events (4728) can reveal sophisticated attack patterns.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4755 and account management monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring audit policies to capture account management events like Event ID 4755https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4755#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...