ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event ID 4758 account management logs in a professional SOC environment
Event ID 4758InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4758 – Microsoft-Windows-Security-Auditing: User Account Enabled

Event ID 4758 fires when a user account is enabled in Active Directory or local SAM database. This security audit event tracks account state changes for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4758Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4758 represents a fundamental security audit mechanism in Windows environments. When a user account transitions from disabled to enabled state, Windows generates this event to maintain an audit trail of account management activities. The event contains structured data including the security identifier (SID) of both the account being modified and the account performing the modification.

In Active Directory environments, this event fires on domain controllers when accounts are enabled through various management interfaces. The event captures not only the account change but also contextual information such as the workstation from which the change originated and the logon session details of the administrator performing the action. This comprehensive logging supports both security monitoring and compliance requirements.

The event structure includes fields for the target account name, domain, SID, and the subject (administrator) performing the action. Additional fields capture the logon ID, authentication package used, and the process information. This granular detail enables security teams to correlate account enabling activities with other security events, creating a complete picture of administrative actions within the environment.

Organizations typically monitor this event as part of privileged account management programs, insider threat detection, and compliance frameworks requiring audit trails of account modifications. The event integrates with Security Information and Event Management (SIEM) systems and can trigger automated responses when suspicious account enabling patterns are detected.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually enables a disabled user account through Active Directory Users and Computers
  • PowerShell scripts or cmdlets like Enable-ADAccount are executed to enable accounts
  • Command-line tools such as net user or dsmod are used to enable accounts
  • Automated systems or service accounts enable user accounts as part of provisioning workflows
  • Group Policy or logon scripts that programmatically enable accounts based on conditions
  • Third-party identity management systems making account state changes through LDAP or other protocols
  • Recovery procedures where disabled accounts are re-enabled after security incidents
  • Bulk account operations using CSV imports or batch processing tools
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4758 to understand the context of the account enabling action.

  1. Open Event Viewer by pressing Windows + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4758 in the Event IDs field and click OK
  5. Double-click on a 4758 event to view detailed information
  6. Review the General tab for basic event information and timestamp
  7. Click the Details tab and select XML View for structured data
  8. Document the following key fields:
    • Subject: The account that performed the enabling action
    • Target Account: The account that was enabled
    • Logon ID: Session identifier for correlation with logon events
    • Process Information: The tool or process used to enable the account
Pro tip: Cross-reference the Logon ID with Event ID 4624 (successful logon) to identify the source workstation and authentication method used by the administrator.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4758 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent account enabling events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetDomainName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758} | Export-Csv -Path "C:\Temp\AccountEnabled_Events.csv" -NoTypeInformation
Pro tip: Use Get-WinEvent with remote computer parameters to query multiple domain controllers simultaneously for comprehensive account enabling tracking.
03

Correlate with Active Directory Changes

Investigate the Active Directory context and verify the account enabling action through directory services logs.

  1. Check the Directory Service log for related events:
    Get-WinEvent -FilterHashtable @{LogName='Directory Service'; StartTime=(Get-Date).AddHours(-1)} | Where-Object {$_.Message -like '*account*'}
  2. Query Active Directory for current account status:
    Import-Module ActiveDirectory
$TargetUser = "username_from_event"
Get-ADUser -Identity $TargetUser -Properties Enabled, whenChanged, whenCreated, LastLogonDate | Format-List Name, Enabled, whenChanged, whenCreated, LastLogonDate
  3. Review account modification history:
    Get-ADUser -Identity $TargetUser -Properties * | Select-Object Name, whenChanged, modifyTimeStamp, uSNChanged
  4. Check for recent password changes that might be related:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} | Where-Object {$_.Message -like "*$TargetUser*"} | Select-Object TimeCreated, Message
  5. Verify group membership changes around the same time:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4732,4756} | Where-Object {$_.Message -like "*$TargetUser*"} | Format-Table TimeCreated, Id, Message -Wrap
Warning: Always verify that account enabling actions align with approved change management processes and security policies before concluding the investigation.
04

Implement Monitoring and Alerting

Set up proactive monitoring to detect and alert on future account enabling activities for security oversight.

  1. Create a custom Event Viewer view for ongoing monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Select By log and choose Security
    • Enter 4758 in the Event IDs field
    • Name the view "Account Enabled Events" and save
  2. Configure Windows Event Forwarding (WEF) for centralized collection:
    # On collector server
wecutil qc /q
# Create subscription
wecutil cs AccountEnabledSubscription.xml
  3. Set up PowerShell-based monitoring script:
    # Monitor script to run as scheduled task
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758; StartTime=(Get-Date).AddMinutes(-5)}
if ($Events) {
    $Events | ForEach-Object {
        $Event = [xml]$_.ToXml()
        $Subject = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        $Target = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        Send-MailMessage -To "security@company.com" -Subject "Account Enabled Alert" -Body "User $Target was enabled by $Subject at $($_.TimeCreated)"
    }
}
  4. Configure audit policy to ensure events are generated:
    # Enable account management auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
  5. Create scheduled task for continuous monitoring:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorAccountEnabled.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
Register-ScheduledTask -TaskName "Monitor Account Enabled" -Action $Action -Trigger $Trigger -RunLevel Highest
Pro tip: Integrate Event ID 4758 monitoring with your SIEM solution using Windows Event Forwarding or log shipping agents for enterprise-scale security monitoring.
05

Advanced Forensic Analysis and Response

Perform comprehensive forensic analysis when Event ID 4758 indicates potential security incidents or policy violations.

  1. Collect comprehensive event context using advanced PowerShell analysis:
    # Advanced event correlation script
$TargetEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758} -MaxEvents 1
$EventXML = [xml]$TargetEvent.ToXml()
$LogonID = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'

# Find related logon events
$RelatedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {
    $LogonXML = [xml]$_.ToXml()
    $LogonXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetLogonId' -and $_.'#text' -eq $LogonID}
}

$RelatedLogons | Format-Table TimeCreated, Id, @{Name='SourceIP';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'}}
  2. Analyze process execution context:
    # Check for suspicious process names or paths
$ProcessInfo = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
Write-Host "Process used: $ProcessInfo"

# Cross-reference with process creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*$ProcessInfo*"} | Select-Object TimeCreated, Message
  3. Investigate privilege escalation patterns:
    # Check for privilege use events around the same time
$TimeWindow = $TargetEvent.TimeCreated
$StartTime = $TimeWindow.AddMinutes(-10)
$EndTime = $TimeWindow.AddMinutes(10)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Id, Message -Wrap
  4. Document findings and create incident response timeline:
    # Generate comprehensive incident report
$Report = @{
    EventTime = $TargetEvent.TimeCreated
    EventID = $TargetEvent.Id
    SubjectUser = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    TargetUser = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    ProcessUsed = $ProcessInfo
    RelatedEvents = $RelatedLogons.Count
}

$Report | ConvertTo-Json | Out-File "C:\Temp\AccountEnabled_Investigation_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
  5. Implement immediate response actions if unauthorized:
    # If investigation reveals unauthorized access
$UnauthorizedUser = "suspicious_account"

# Disable the account immediately
Disable-ADAccount -Identity $UnauthorizedUser

# Force password reset
Set-ADAccountPassword -Identity $UnauthorizedUser -Reset -NewPassword (ConvertTo-SecureString "TempPassword123!" -AsPlainText -Force)

# Log the response action
Write-EventLog -LogName Application -Source "Security Response" -EventId 1001 -Message "Account $UnauthorizedUser disabled due to unauthorized enabling detected in Event ID 4758 investigation"
Warning: Always follow your organization's incident response procedures and legal requirements when conducting forensic analysis. Preserve evidence integrity and maintain proper chain of custody documentation.

Overview

Event ID 4758 is a security audit event that fires whenever a user account is enabled in Windows. This event occurs in both Active Directory environments and standalone systems using the local Security Account Manager (SAM) database. The event captures critical details including who enabled the account, which account was enabled, and when the action occurred.

This event is part of Windows advanced audit policy under Account Management subcategory. By default, this auditing is disabled on workstations but enabled on domain controllers. The event provides essential visibility for security teams monitoring account lifecycle changes, particularly when investigating unauthorized account modifications or tracking compliance with security policies.

The event fires immediately when an administrator uses tools like Active Directory Users and Computers, PowerShell cmdlets, or command-line utilities to change an account's disabled status to enabled. Each instance generates a unique event with detailed attribution information, making it valuable for forensic analysis and security monitoring workflows.

Frequently Asked Questions

What does Event ID 4758 mean and when does it occur?+
Event ID 4758 is a security audit event that fires whenever a user account is enabled in Windows. This occurs when an administrator changes an account's status from disabled to enabled using tools like Active Directory Users and Computers, PowerShell cmdlets, or command-line utilities. The event captures detailed information about who performed the action, which account was enabled, and when it occurred. This event is essential for security monitoring and compliance tracking in enterprise environments.
How do I enable auditing for Event ID 4758 if it's not appearing in my logs?+
Event ID 4758 requires the Account Management audit subcategory to be enabled. Use the command auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable to enable this auditing. On domain controllers, this is typically enabled by default, but on workstations and member servers, you may need to configure it through Group Policy under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management.
Can Event ID 4758 help detect unauthorized account access or insider threats?+
Yes, Event ID 4758 is valuable for detecting unauthorized account modifications and potential insider threats. By monitoring when accounts are enabled, especially outside of normal business hours or by unexpected administrators, security teams can identify suspicious activities. Correlating this event with logon events (4624), privilege use events (4672), and other account management events creates a comprehensive audit trail that helps detect unauthorized access patterns, privilege escalation attempts, and policy violations.
What information is included in Event ID 4758 and how can I extract it programmatically?+
Event ID 4758 contains structured data including the Subject (who performed the action), Target Account (which account was enabled), Logon ID for session correlation, Process Information, and timestamps. You can extract this data using PowerShell by parsing the event XML: $Event = [xml](Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4758} -MaxEvents 1).ToXml() then accessing specific fields like $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} to get the enabled account name.
How should I respond if I find unexpected Event ID 4758 entries in my security logs?+
When you discover unexpected account enabling events, immediately investigate the context by checking who performed the action, when it occurred, and from which system. Verify the legitimacy by consulting change management records and confirming with the responsible administrator. If the action appears unauthorized, disable the affected account immediately, reset its password, review recent logon activities, check for other suspicious account modifications, and escalate to your incident response team. Document all findings and implement additional monitoring to prevent future unauthorized changes.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including account management events like 4758https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for account management monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4758#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...