Forum

Ultimate Windows Security Forum » Security Log » 4720 - A user account was created » New Localuser account created in Domain...

New Localuser account created in Domain...

Rate Topic

Display Mode

Topic Options

Author

Message

srtsecu

Posted 8/17/2018 1:42:41 PM

Forum Newbie

Group: Forum Members
Last Login: 8/17/2018 1:22:51 PM
Posts: 1, Visits: 0

Hi Mr. Randy, thank you for your ultimate encyclopedia. I've one question, I was working on the detection of new localuser account created in DC controlled environment. Event ID 4720 gets generated on new account creation but I want to differentiate new accounts created on DC vs new accounts created locally. Is there a way in which I can do this using Windows Security Logs?
Right now my lab isn't configured with DC, but I think if Computer Name and Target Domain Name is same, then it's local account creation. Please suggest me solution so that I can play with event IDs to build a detection.

Thanks in advance! Smile

Post #8487

derekthomas

Posted 8/27/2018 5:23:27 PM

Supreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0

You got it!

Computer name = New Account - Account Domain

Post #8493

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 2:54am

Upcoming Webinars

Tier Zero: What It Is, Its Importance, Its Boundaries, and Detecting Out-of-Bounds Activity

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.