4722 - A user account was enabled - Machine... Expand / Collapse
Author
Message
Posted 5/18/2015 12:42:32 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/18/2015 12:28:59 PM
Posts: 1, Visits: 1
I am seeing a Domain Controller log Event ID 4722 indicating that a user has been enabled. The subject of the message (and every other message I would expect to log alongside 4722) indicates that this was done by the machine account of the machine where the action was performed. Is there a reason this would occur and is there any way to find and log the true user who performed this action?
Post #3258
Posted 6/8/2015 8:22:01 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
Is the target account a computer account?
Post #3266
Posted 6/29/2020 10:40:21 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/29/2020 9:59:02 PM
Posts: 1, Visits: 0
I know this is an old post but thought I would give it a shot. We have had the same thing happen in our domain. Three times in a 3 day period the builtin domain administrator account on the forest root domain has been enabled. The subject in event ID 4722 says user id: NT AUTHORITY\SYSTEM. Account name Domaincontroller$. ( It of course has the real domain controller name). Since the account that was enabled by the domain controller system account was the built in administrator account that is put in Enterprise admin, Domain Admin, and Schema Admin, this has really concerned us. Are there any legitimate system processes than can occur that would allow a PDC system account to enable this account? The account was the only account in enterprise admin when it was enabled. I could not find any mention online where this has occurred for any reason, both legitimate and nefarious.
Post #8644
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 10:53pm