Applies to: Windows Server 2008, 2008 R2 and 2012
Requirement: You would like to investigate who has created a new user account on Active Directory.
Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured
and you need to define both Success and Failure policy settings. To configure Auditing on Domain
Controllers, you need to edit and update DDCP (Default Domain Controller Policy)
When a new User Account is created on Active Directory with the option " User must change password at next logon", following Event IDs will be generated:
4720, 4722, 4724 and 4738
Event ID: 4720
Event Details for Event ID: 4720
A user account was created.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
New Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Attributes:
SAM Account Name: Random
Display Name: Random
User Principal Name: Random@AD.TESTLAB.NET
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: -
SID History: -
Logon Hours: <value not set>
Event ID: 4722
Event Details for Event ID: 4722
A user account was enabled.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
Target Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Event ID: 4724
Account Domain: TESTLAB
Event Details for Event ID: 4724
An attempt was made to reset an account's password.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
Target Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLABEvent ID: 4738
Event Details for Event ID: 4738
A user account was changed.
Subject:
Security ID: TESTLAB\Santosh
Account Name: Santosh
Account Domain: TESTLAB
Logon ID: 0x8190601
Target Account:
Security ID: TESTLAB\Random
Account Name: Random
Account Domain: TESTLAB
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x15
New UAC Value: 0x11
User Account Control:
'Password Not Required' - Disabled
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -
In this example TESTLAB\Santosh has created user account TESTLAB\Random.- End of the article -
See Also:
Event IDs when a user account is deleted from Active Directory