ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs for user account management monitoring
Event ID 5633InformationSecurity-AuditingWindows

Windows Event ID 5633 – Security-Auditing: User Account Management Audit Event

Event ID 5633 tracks user account management operations in Windows security auditing, firing when user accounts are created, modified, or deleted through administrative actions.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5633Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5633 represents a fundamental component of Windows security auditing infrastructure, specifically designed to monitor user account lifecycle management operations. When this event fires, it indicates that someone with appropriate administrative privileges has performed an action that affects user account properties or existence within the Windows security subsystem.

The event captures comprehensive metadata about the account management operation, including the security identifier (SID) of both the administrator performing the action and the target user account being modified. Windows logs this event regardless of whether the operation succeeds or fails, providing administrators with complete visibility into account management attempts.

In Active Directory environments, Event ID 5633 appears on domain controllers when user accounts are created through tools like Active Directory Administrative Center, PowerShell's New-ADUser cmdlet, or third-party identity management solutions. On standalone systems, the event fires when local user accounts are managed through Computer Management, net user commands, or PowerShell's New-LocalUser cmdlet.

The event structure includes fields for the subject (who performed the action), the target account details, and specific attributes that were modified during the operation. This granular logging enables security teams to reconstruct the exact sequence of account management activities and identify potential security violations or policy breaches.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator creating new user accounts through Active Directory Users and Computers
  • PowerShell scripts executing New-ADUser or New-LocalUser cmdlets
  • Automated provisioning systems creating user accounts via LDAP or WMI
  • Third-party identity management tools performing user account operations
  • Group Policy-driven account creation or modification processes
  • Exchange Server creating associated user accounts during mailbox provisioning
  • System administrators modifying user account properties like display names or group memberships
  • Service accounts being created or updated by application installers
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 5633 entries to understand what account management operations triggered the events.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 5633 in the Event IDs field and click OK
  5. Double-click on Event ID 5633 entries to view detailed information
  6. Examine the Subject section to identify who performed the account operation
  7. Review the Target Account section to see which user account was affected
  8. Check the Changed Attributes section to understand what modifications were made
Pro tip: Look for patterns in the timing and source of account creation events to identify automated provisioning processes versus manual administrative actions.
02

Query Events with PowerShell for Analysis

Use PowerShell to extract and analyze Event ID 5633 entries for comprehensive account management tracking.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 5633 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5633} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Extract detailed event properties for analysis:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5633} -MaxEvents 100
$Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetSid = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'} | Select-Object -ExpandProperty '#text'
    }
}
  4. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5633; StartTime=$StartTime; EndTime=$EndTime}
Warning: Large Security logs can impact PowerShell performance. Use -MaxEvents parameter to limit results when querying busy domain controllers.
03

Configure Advanced Audit Policy for Enhanced Logging

Ensure proper audit policy configuration to capture comprehensive user account management events.

  1. Open Group Policy Management Console or run gpedit.msc for local policy
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and double-click Audit User Account Management
  4. Check both Success and Failure to capture all account operations
  5. Apply the policy and run gpupdate /force to refresh settings
  6. Verify audit policy configuration using command line:
    auditpol /get /subcategory:"User Account Management"
  7. Check current audit settings across all categories:
    auditpol /get /category:*
  8. Enable specific subcategories if needed:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
Pro tip: Enable audit policy on domain controllers and member servers to track both domain and local account management operations comprehensively.
04

Investigate Account Management Patterns and Anomalies

Analyze Event ID 5633 patterns to identify unusual account management activities or potential security issues.

  1. Create a PowerShell script to analyze account creation patterns:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5633} -MaxEvents 1000
$Analysis = $Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        Subject = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        Target = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        Domain = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
$Analysis | Group-Object Subject | Sort-Object Count -Descending
  2. Identify accounts created outside business hours:
    $Analysis | Where-Object {$_.Time.Hour -lt 8 -or $_.Time.Hour -gt 18} | Format-Table
  3. Check for bulk account creation activities:
    $Analysis | Group-Object @{Expression={$_.Time.Date}} | Where-Object {$_.Count -gt 10}
  4. Cross-reference with Active Directory to verify account status:
    Import-Module ActiveDirectory
$RecentAccounts = $Analysis | Where-Object {$_.Time -gt (Get-Date).AddDays(-1)}
$RecentAccounts | ForEach-Object {
    try {
        $ADUser = Get-ADUser -Identity $_.Target -Properties Created, Enabled
        [PSCustomObject]@{
            Username = $_.Target
            EventTime = $_.Time
            ADCreated = $ADUser.Created
            Enabled = $ADUser.Enabled
        }
    } catch {
        Write-Warning "Account $($_.Target) not found in AD"
    }
}
05

Set Up Automated Monitoring and Alerting

Implement automated monitoring solutions to track Event ID 5633 and alert on suspicious account management activities.

  1. Create a scheduled task to monitor account creation events:
    $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\MonitorAccountCreation.ps1'
$Trigger = New-ScheduledTaskTrigger -Daily -At '09:00'
$Principal = New-ScheduledTaskPrincipal -UserID 'SYSTEM' -LogonType ServiceAccount
Register-ScheduledTask -TaskName 'Monitor-AccountCreation' -Action $Action -Trigger $Trigger -Principal $Principal
  2. Create the monitoring script at C:\Scripts\MonitorAccountCreation.ps1:
    # Monitor Account Creation Script
$Yesterday = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5633; StartTime=$Yesterday}

if ($Events.Count -gt 20) {
    $Subject = "High Volume Account Creation Detected"
    $Body = "$($Events.Count) account management events detected in the last 24 hours"
    Send-MailMessage -To 'admin@company.com' -From 'monitoring@company.com' -Subject $Subject -Body $Body -SmtpServer 'mail.company.com'
}
  3. Configure Windows Event Forwarding for centralized monitoring:
    wecutil cs subscription.xml
  4. Create subscription XML file for Event ID 5633 forwarding:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>AccountManagement</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(EventID=5633)]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
Pro tip: Integrate Event ID 5633 monitoring with SIEM solutions like Microsoft Sentinel or Splunk for advanced correlation and threat detection capabilities.

Overview

Event ID 5633 is a security audit event that fires when Windows detects user account management operations. This event appears in the Security log when administrators create, modify, or delete user accounts through various Windows management tools including Active Directory Users and Computers, PowerShell cmdlets, or the Local Users and Groups snap-in.

The event captures critical details about who performed the account operation, what changes were made, and when the action occurred. Windows generates this event as part of the Advanced Audit Policy Configuration under Account Management auditing. System administrators rely on Event ID 5633 to track user provisioning workflows, detect unauthorized account modifications, and maintain compliance with security policies.

This event fires on domain controllers when Active Directory user accounts are managed, and on member servers or workstations when local user accounts are modified. The event provides essential forensic data for security investigations and helps administrators understand the timeline of user account changes across their Windows infrastructure.

Frequently Asked Questions

What does Event ID 5633 indicate in Windows security logs?+
Event ID 5633 indicates that a user account management operation has occurred on the system. This includes creating new user accounts, modifying existing account properties, or deleting user accounts. The event captures who performed the operation, which account was affected, and what specific changes were made. It's part of Windows security auditing and helps administrators track user provisioning activities and maintain security compliance.
Why am I seeing multiple Event ID 5633 entries for a single user account creation?+
Multiple Event ID 5633 entries for one account creation are normal because Windows logs separate events for different attributes being set during account creation. For example, creating a user account might generate separate events for setting the username, display name, group memberships, and other properties. Each attribute modification triggers its own audit event, providing granular tracking of all changes made to the user account during the provisioning process.
How can I distinguish between legitimate and suspicious Event ID 5633 activities?+
Legitimate Event ID 5633 activities typically occur during business hours by known administrators and follow established patterns. Suspicious activities include account creation outside business hours, bulk account creation by unusual subjects, accounts created by non-administrative users, or creation of accounts with suspicious naming patterns. Cross-reference the Subject field with your list of authorized administrators and look for deviations from normal provisioning workflows. Automated tools or service accounts should have consistent, predictable patterns.
Can Event ID 5633 help me track when service accounts are created or modified?+
Yes, Event ID 5633 captures service account management operations just like regular user accounts. Service accounts often have distinctive naming conventions (like ending in $ for computer accounts or having service-related prefixes) that make them identifiable in the logs. When applications or system components create service accounts during installation, these operations generate Event ID 5633 entries. This helps administrators track service account proliferation and ensure proper governance of privileged accounts across their environment.
What should I do if Event ID 5633 shows account creation by unauthorized users?+
If Event ID 5633 shows unauthorized account creation, immediately investigate the incident as a potential security breach. First, disable the newly created account and verify the legitimacy of the creating user. Check if the subject account has been compromised by reviewing its recent logon activities (Event IDs 4624, 4625). Examine the target account's properties and group memberships for signs of privilege escalation. Document the incident, reset passwords for involved accounts, and review your administrative access controls. Consider implementing additional monitoring and approval workflows for account creation operations.
Documentation

References (2)

1
Microsoft Security Auditing DocumentationComprehensive guide to Windows security auditing including account management events and audit policy configuration.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/
2
Advanced Audit Policy ConfigurationDetailed documentation on configuring advanced audit policies for comprehensive security event logging.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5633#security-auditing#user-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...