Windows Security Log Event ID 4720

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Account Management
 • User Account Management
Type Success
Corresponding events
in Windows 2003
and before		 624  

4720: A user account was created

On this page

The user identified by Subject: created the user identified by New Account:. 

Attributes show some of the properties that were set at the time the account was created.  Notice account is initially disabled.

This event is logged both for local SAM accounts and domain accounts.

You will see a series of other User Account Management events after this event as the remaining properties are punched down, password set and account finally enabled.

Free Security Log Resources by Randy

Description Fields in 4720

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

New Account: 

  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account 

Attributes:

  • SAM Account Name: pre Win2k logon name
  • Display Name:
  • User Principal Name: user logon name
  • Home Directory:
  • Home Drive:
  • Script Path:
  • Profile Path:
  • User Workstations: workstation restrictions
  • Password Last Set: last time password changed but also used for "user must change password at next logon"
  • Account Expires:
  • Primary Group ID: SID of primary group
  • Allowed To Delegate To: n/a
  • Old UAC Value:  bitwise representation of Account Options check list
  • New UAC Value:  bitwise representation of Account Options check list
  • User Account Control:
  • Account Disabled
  • 'Password Not Required' - Enabled
  • 'Normal Account' - Enabled
  • User Parameters: unkown.  Start a discussion below if you have informatino to share!
  • SID History:  used when migrating legacy domains
  • Logon Hours:  Day or week and time of day restrictions
  • Additional Information:
  • Privileges  unkown.  Start a discussion below if you have informatino to share!

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 4720

A user account was created.

Subject:

   Security ID:  ACME-FR\administrator
   Account Name:  administrator
   Account Domain:  ACME-FR
   Logon ID:  0x20f9d

New Account:

   Security ID:  ACME-FR\John.Locke
   Account Name:  John.Locke
   Account Domain:  ACME-FR

Attributes:

   SAM Account Name: John.Locke
   Display Name:  John Locke
   User Principal Name: John.Locke@acme-fr.local
   Home Directory:  -
   Home Drive:  -
   Script Path:  -
   Profile Path:  -
   User Workstations: -
   Password Last Set: <never>
   Account Expires:  <never>
   Primary Group ID: 513
   Allowed To Delegate To: -
   Old UAC Value:  0x0
   New UAC Value:  0x15
   User Account Control:
    Account Disabled
    'Password Not Required' - Enabled
    'Normal Account' - Enabled
   User Parameters: -
   SID History:  -
   Logon Hours:  <value not set>

Additional Information:

   Privileges  -

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 4720
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!