ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Security log with Event ID 4762 user account enabled events on a cybersecurity monitoring dashboard
Event ID 4762InformationSecurityWindows

Windows Event ID 4762 – Security: User Account Enabled

Event ID 4762 logs when a user account is enabled in Active Directory or local security database. This security audit event tracks account state changes for compliance and monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4762Security 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4762 represents a fundamental security audit event that documents user account enablement operations across Windows environments. The event fires immediately when the account's userAccountControl attribute changes to remove the ACCOUNTDISABLE flag, transitioning the account from disabled to active state.

The event structure includes comprehensive metadata about the operation: the Security ID (SID) and name of both the target account and the administrator performing the action, the logon session details, and the source workstation information. For domain environments, this event generates on the domain controller processing the change, while local account modifications trigger the event on the respective workstation.

From a security perspective, Event ID 4762 provides crucial visibility into account lifecycle management. Unauthorized account enablement represents a significant security risk, as attackers often target disabled accounts to establish persistence or escalate privileges. The event's detailed logging enables security teams to correlate account changes with user behavior, detect anomalous administrative actions, and maintain audit trails for compliance frameworks like SOX, HIPAA, and PCI-DSS.

The event integrates seamlessly with Windows Advanced Audit Policy Configuration, specifically under the "Audit User Account Management" subcategory. Organizations typically configure centralized log collection to aggregate these events from multiple domain controllers and workstations, enabling comprehensive security monitoring and automated alerting on suspicious account activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually enables a disabled user account through Active Directory Users and Computers console
  • PowerShell commands like Enable-ADAccount or Set-ADUser modify account status
  • Automated scripts or management tools enable accounts based on business logic or scheduled tasks
  • Group Policy processing enables accounts through security template applications
  • Third-party identity management systems synchronize account states and enable previously disabled accounts
  • Exchange Server or other applications enable service accounts during installation or configuration
  • Account lockout policies automatically re-enable accounts after specified time periods
  • Bulk user management operations enable multiple accounts simultaneously through CSV imports or batch scripts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand who enabled the account and from where:

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4762 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4762 in the Event IDs field and click OK
  5. Double-click the event to view detailed information including:
    • Subject: Administrator who performed the action
    • Target Account: User account that was enabled
    • Logon ID: Session identifier for correlation
    • Workstation Name: Source computer for the operation
Pro tip: Note the timestamp and correlate with other security events using the same Logon ID to build a complete picture of the administrative session.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4762 occurrences across your environment:

  1. Open PowerShell as Administrator
  2. Query recent account enablement events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events for specific user accounts:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762} | Where-Object {$_.Message -like '*TargetUserName*'} | Format-Table TimeCreated, Message -Wrap
  4. Export events for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762} | Export-Csv -Path "C:\Temp\AccountEnabled_Events.csv" -NoTypeInformation
  5. Query remote domain controllers:
    Invoke-Command -ComputerName DC01,DC02 -ScriptBlock {Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762} -MaxEvents 10}
Warning: Large Security logs may cause performance impact. Use -MaxEvents parameter to limit results and consider time-based filtering for production environments.
03

Investigate Account Status with Active Directory Tools

Verify the current account status and recent changes using Active Directory administrative tools:

  1. Open Active Directory Users and Computers from Administrative Tools
  2. Navigate to the organizational unit containing the target user account
  3. Right-click the user account and select Properties
  4. Check the Account tab to verify current account status and settings
  5. Use PowerShell to query account details:
    Get-ADUser -Identity "username" -Properties Enabled, LastLogonDate, PasswordLastSet, WhenChanged | Format-List
  6. Review account modification history:
    Get-ADUser -Identity "username" -Properties * | Select-Object Name, Enabled, WhenCreated, WhenChanged, ModifiedCount
  7. Check for recent password changes that might correlate with account enablement:
    Search-ADAccount -AccountDisabled | Where-Object {$_.PasswordLastSet -gt (Get-Date).AddDays(-7)}
Pro tip: Cross-reference the WhenChanged timestamp with Event ID 4762 occurrence to confirm the correlation between audit events and actual account modifications.
04

Configure Advanced Audit Monitoring

Implement comprehensive monitoring to track future account enablement events and establish security baselines:

  1. Configure Advanced Audit Policy using Group Policy:
    • Open Group Policy Management Console
    • Edit the appropriate GPO and navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Enable Audit User Account Management for both Success and Failure
  2. Set up PowerShell monitoring script:
    # Create monitoring script for Event ID 4762
$Action = {
    $Event = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762} -MaxEvents 1
    $Message = "Account Enabled: " + $Event.Message
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 -Message $Message
}
Register-WMIEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4762" -Action $Action
  3. Configure Windows Event Forwarding (WEF) for centralized collection:
    winrm quickconfig
wecutil cs subscription.xml
  4. Create custom XML subscription file for Event ID 4762 collection targeting domain controllers and critical servers
Warning: Excessive audit logging can impact system performance and generate large log files. Monitor disk space and configure log rotation policies appropriately.
05

Implement Security Information and Event Management (SIEM) Integration

Establish enterprise-level monitoring and alerting for Event ID 4762 through SIEM integration:

  1. Configure Windows Event Collection service on collector servers:
    Start-Service Wecsvc
Set-Service Wecsvc -StartupType Automatic
  2. Create custom detection rules in your SIEM platform for Event ID 4762 patterns:
    • Multiple account enablements from single administrator session
    • Account enablement outside business hours
    • Privileged account enablement by non-authorized personnel
    • Bulk account enablement operations
  3. Set up automated correlation with other security events:
    # PowerShell script for event correlation
$EnableEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4762; StartTime=(Get-Date).AddHours(-1)}
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddHours(-1)}
# Correlate events by LogonId for comprehensive session analysis
  4. Configure alerting thresholds and notification channels for security team response
  5. Implement automated response workflows for high-risk scenarios like privileged account enablement
  6. Create compliance reports combining Event ID 4762 with related account management events (4720, 4722, 4725, 4767)
Pro tip: Establish baseline metrics for normal account enablement patterns in your environment to improve detection accuracy and reduce false positives in automated alerting systems.

Overview

Event ID 4762 fires whenever a user account transitions from disabled to enabled state in Windows security subsystem. This audit event appears in the Security log when administrators enable previously disabled user accounts through Active Directory Users and Computers, PowerShell commands, or local user management tools.

The event captures critical details including the target account name, the administrator who performed the action, and the workstation from which the change originated. Windows generates this event on domain controllers for AD accounts and on local machines for local user accounts when audit policy for User Account Management is enabled.

This event serves as a cornerstone for security monitoring, helping administrators track account lifecycle changes and detect unauthorized account activations. Security teams rely on 4762 events to maintain compliance with regulatory requirements and investigate potential security incidents involving account manipulation.

Frequently Asked Questions

What does Event ID 4762 mean and when does it occur?+
Event ID 4762 indicates that a user account has been enabled in Windows security subsystem. This event fires whenever an administrator changes an account from disabled to enabled state through Active Directory Users and Computers, PowerShell commands like Enable-ADAccount, or local user management tools. The event appears in the Security log on domain controllers for AD accounts and on local machines for local user accounts, provided that audit policy for User Account Management is enabled.
How can I identify who enabled a user account using Event ID 4762?+
Event ID 4762 contains detailed information about the account enablement operation. In the event details, look for the 'Subject' section which identifies the administrator who performed the action, including their Security ID (SID), account name, and domain. The event also includes the Logon ID which can be used to correlate with logon events (Event ID 4624) to determine the source workstation and session details. Additionally, the 'Target Account' section shows which specific user account was enabled.
Is Event ID 4762 a security concern that requires immediate attention?+
Event ID 4762 itself is an informational audit event and not inherently a security threat. However, it requires attention in specific contexts: unauthorized account enablement outside normal business processes, enabling of privileged or service accounts without proper approval, bulk account enablement operations that deviate from established patterns, or account enablement during off-hours by unauthorized personnel. Organizations should establish baseline patterns for normal account management activities and investigate deviations that could indicate malicious activity or policy violations.
How do I configure Windows to generate Event ID 4762 for account management auditing?+
To generate Event ID 4762, you must enable the 'Audit User Account Management' policy under Advanced Audit Policy Configuration. Navigate to Group Policy Management Console, edit the appropriate GPO, and go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management. Enable both Success and Failure auditing. For domain environments, apply this policy to domain controllers and member servers. Local machines require local security policy configuration through secpol.msc under Local Policies → Audit Policy.
Can I automate monitoring and alerting for Event ID 4762 across multiple servers?+
Yes, you can implement automated monitoring through several methods. Use Windows Event Forwarding (WEF) to centralize Event ID 4762 collection from multiple servers to a collector server. Configure PowerShell scheduled tasks with Get-WinEvent cmdlets to query and process events automatically. Implement SIEM integration using Windows Event Collection service or third-party log forwarding agents. Create custom PowerShell scripts with Register-WMIEvent to trigger immediate actions when Event ID 4762 occurs. For enterprise environments, establish correlation rules that combine Event ID 4762 with related events (4720, 4722, 4725) to provide comprehensive account lifecycle monitoring and automated alerting based on defined risk thresholds.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive documentation covering Windows security audit events including Event ID 4762 and related account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial Microsoft documentation for configuring advanced audit policies including User Account Management auditing requirements.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4762#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...