{
	"id": "ed7dcbb2-0a82-4260-bfd1-16eea1a7db2f",
	"created_at": "2026-04-06T00:20:13.292552Z",
	"updated_at": "2026-04-10T13:12:16.948792Z",
	"deleted_at": null,
	"sha1_hash": "f0bd12bf5c25937dd786518c2c71704f6e4ba523",
	"title": "4720(S) A user account was created. - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135600,
	"plain_text": "4720(S) A user account was created. - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 19:41:35 UTC\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 1 of 9\n\nSubcategory: Audit User Account Management\r\nEvent Description:\r\nThis event generates every time a new user object is created.\r\nThis event generates on domain controllers, member servers, and workstations.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 2 of 9\n\nNote For recommendations, see Security Monitoring Recommendations for this event.\nEvent XML:\n- - 4720001382400x8020000000000000175408SecurityDC01.contoso.local - ksmith CONTOSO S-1-5-21-3457937927-2839227994-823803824-6609 S-1-5-21-3457937927-2839227994-823803824-1104 dadmin CONTOSO 0x30dc2 - ksmith Ken Smith ksmith@contoso.local - - - - - %%1794 %%1794 513 - 0x0 0x15 %%2080 %%2082 %%2084 - - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\nPage 3 of 9\n\n\u003cData Name=\"LogonHours\"\u003e%%1793\u003c/Data\u003e\r\n \u003c/EventData\u003e\r\n \u003c/Event\u003e\r\nRequired Server Roles: None.\r\nMinimum OS Version: Windows Server 2008, Windows Vista.\r\nEvent Versions: 0.\r\nField Descriptions:\r\nSubject:\r\nSecurity ID [Type = SID]: SID of account that requested the “create user account” operation. Event\r\nViewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you\r\nwill see the source data in the event.\r\nNote  A security identifier (SID) is a unique value of variable length used to identify a trustee (security\r\nprincipal). Each account has a unique SID that is issued by an authority, such as an Active Directory\r\ndomain controller, and stored in a security database. Each time a user logs on, the system retrieves the\r\nSID for that user from the database and places it in the access token for that user. The system uses the\r\nSID in the access token to identify the user in all subsequent interactions with Windows security. When\r\na SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify\r\nanother user or group. For more information about SIDs, see Security identifiers.\r\nAccount Name [Type = UnicodeString]: the name of the account that requested the “create user account”\r\noperation.\r\nAccount Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include\r\nthe following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,\r\nthe value of this field is “NT AUTHORITY”.\r\nFor local user accounts, this field will contain the name of the computer or device that this account\r\nbelongs to, for example: “Win81”.\r\nLogon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events\r\nthat might contain the same Logon ID, for example, “4624: An account was successfully logged on.”\r\nNew Account:\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 4 of 9\n\nSecurity ID [Type = SID]: SID of created user account. Event Viewer automatically tries to resolve SIDs\r\nand show the account name. If the SID cannot be resolved, you will see the source data in the event.\r\nAccount Name [Type = UnicodeString]: the name of the user account that was created. For example:\r\ndadmin.\r\nAccount Domain [Type = UnicodeString]: domain name of created user account. Formats vary, and\r\ninclude the following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor local accounts, this field will contain the name of the computer to which this new account\r\nbelongs, for example: “Win81”.\r\nAttributes:\r\nSAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers\r\nfrom previous versions of Windows (pre-Windows 2000 logon name). The value of sAMAccountName\r\nattribute of new user object. For example: ksmith. For local account this field contains the name of new\r\nuser account.\r\nDisplay Name [Type = UnicodeString]: the value of displayName attribute of new user object. It is a\r\nname displayed in the address book for a particular account .This is usually the combination of the user's\r\nfirst name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using\r\nActive Directory Users and Computers, or through a script, for example. Local accounts contain Full\r\nName attribute in this field, but for new local accounts this field typically has value “\u003cvalue not set\u003e”.\r\nUser Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the\r\nInternet standard RFC 822. By convention this should map to the account's email name. This parameter\r\ncontains the value of userPrincipalName attribute of new user object. For example,\r\nksmith@contoso.local. For local users this field is not applicable and has value “-“. You can change this\r\nattribute by using Active Directory Users and Computers, or through a script, for example.\r\nHome Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and\r\nspecifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the\r\nform \\\\Server\\Share\\Directory. This parameter contains the value of homeDirectory attribute of new user\r\nobject. For new local accounts this field typically has value “\u003cvalue not set\u003e”. You can change this\r\nattribute by using Active Directory Users and Computers, or through a script, for example. This parameter\r\nmight not be captured in the event, and in that case appears as “-”.\r\nHome Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by\r\nhomeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”.\r\nFor example – “H:”. This parameter contains the value of homeDrive attribute of new user object. You can\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 5 of 9\n\nchange this attribute by using Active Directory Users and Computers, or through a script, for example. This\r\nparameter might not be captured in the event, and in that case appears as “-”. For new local accounts this\r\nfield typically has value “\u003cvalue not set\u003e”.\r\nScript Path [Type = UnicodeString]: specifies the path of the account’s logon script. This parameter\r\ncontains the value of scriptPath attribute of new user object. You can change this attribute by using Active\r\nDirectory Users and Computers, or through a script, for example. This parameter might not be captured in\r\nthe event, and in that case appears as “-”. For new local accounts this field typically has value “\u003cvalue not\r\nset\u003e”.\r\nProfile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null\r\nstring, a local absolute path, or a UNC path. This parameter contains the value of profilePath attribute of\r\nnew user object. You can change this attribute by using Active Directory Users and Computers, or through\r\na script, for example. This parameter might not be captured in the event, and in that case appears as “-”.\r\nFor new local accounts this field typically has value “\u003cvalue not set\u003e”.\r\nUser Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers\r\nfrom which the user can logon. Each computer name is separated by a comma. The name of a computer is\r\nthe sAMAccountName property of a user object. This parameter contains the value of userWorkstations\r\nattribute of new user object. You can change this attribute by using Active Directory Users and Computers,\r\nor through a script, for example. This parameter might not be captured in the event, and in that case\r\nappears as “-”. For local users this field is not applicable and typically has value “\u003cvalue not set\u003e”.\r\nPassword Last Set [Type = UnicodeString]: last time the account’s password was modified. For manually\r\ncreated user account, using Active Directory Users and Computers snap-in, this field typically has value\r\n“\u003cnever\u003e”. This parameter contains the value of pwdLastSet attribute of new user object.\r\nAccount Expires [Type = UnicodeString]: the date when the account expires. This parameter contains the\r\nvalue of accountExpires attribute of new user object. You can change this attribute by using Active\r\nDirectory Users and Computers, or through a script, for example. This parameter might not be captured in\r\nthe event, and in that case appears as “-”. For manually created local and domain user accounts this field\r\ntypically has value “\u003cnever\u003e”.\r\nPrimary Group ID [Type = UnicodeString]: Relative Identifier (RID) of user’s object primary group.\r\nNote  Relative identifier (RID) is a variable length number that is assigned to objects at creation and\r\nbecomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within\r\na domain.\r\nTypically, Primary Group field for new user accounts has the following values:\r\n513 (Domain Users. For local accounts this RID means Users) – for domain and local users.\r\nSee this article \u003c/windows/security/identity-protection/access-control/security-identifiers\u003e for more\r\ninformation. This parameter contains the value of primaryGroupID attribute of new user object.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 6 of 9\n\nAllowed To Delegate To [Type = UnicodeString]: the list of SPNs to which this account can present\r\ndelegated credentials. Can be changed using Active Directory Users and Computers management console\r\nin Delegation tab of user account, if this account has at least one SPN registered. This parameter contains\r\nthe value of AllowedToDelegateTo attribute of new user object. For local user accounts this field is not\r\napplicable and typically has value “-“. For new domain user accounts it is typically has value “-“. See\r\ndescription of AllowedToDelegateTo field for “4738(S): A user account was changed.” event for more\r\ndetails.\r\nNote  Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a\r\nservice. If you install multiple instances of a service on computers throughout a forest, each instance\r\nmust have its own SPN. A given service instance can have multiple SPNs if there are multiple names\r\nthat clients might use for authentication. For example, an SPN always includes the name of the host\r\ncomputer on which the service instance is running, so a service instance might register an SPN for each\r\nname or alias of its host.\r\nOld UAC Value [Type = UnicodeString]: is always “0x0” for new accounts.\r\nNew UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,\r\nscript, and other behavior for the user or computer account. This parameter contains the value of the SAM\r\nimplementation of account flags (definition differs from userAccountControl in AD). For a list of account\r\nflags you may see here, refer to [MS-SAMR]: USER_ACCOUNT Codes.\r\nUser Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and\r\nComputers management console in Dial-in tab of user’s account properties, then you will see \u003cvalue\r\nchanged, but not displayed\u003e in this field in “4738: A user account was changed.” This parameter might\r\nnot be captured in the event, and in that case appears as “-”. For new local accounts this field typically has\r\nvalue “\u003cvalue not set\u003e”.\r\nSID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved\r\nfrom another domain. Whenever an object is moved from one domain to another, a new SID is created and\r\nbecomes the objectSID. The previous SID is added to the sIDHistory property. This parameter contains the\r\nvalue of sIDHistory attribute of new user object. This parameter might not be captured in the event, and in\r\nthat case appears as “-”.\r\nLogon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. The value\r\nof logonHours attribute of new user object. You can change this attribute by using Active Directory Users\r\nand Computers, or through a script, for example. You will typically see “\u003cvalue not set\u003e” value for new\r\nmanually created user accounts in event 4720. For new local accounts this field is not applicable and\r\ntypically has value “All”.\r\nAdditional Information:\r\nPrivileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for\r\nexample, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as\r\n“-”. See full list of user privileges in “Table 8. User Privileges.”.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 7 of 9\n\nSecurity Monitoring Recommendations\r\nFor 4720(S): A user account was created.\r\nImportant  For this event, also see Appendix A: Security monitoring recommendations for many audit\r\nevents.\r\nSome organizations monitor every 4720 event.\r\nConsider whether to track the following fields and values:\r\nField and value to track Reason to track\r\nSAM Account Name is empty or -\r\nThis field must contain the user account name. If it is empty or -, it\r\nmight indicate an anomaly.\r\nUser Principal Name is empty or -\r\nTypically this field should not be empty for new user accounts. If it\r\nis empty or -, it might indicate an anomaly.\r\nHome Directory is not -\r\nHome Drive is not -\r\nScript Path is not -\r\nProfile Path is not -\r\nUser Workstations is not -\r\nTypically these fields are - for new user accounts. Other values\r\nmight indicate an anomaly and should be monitored.\r\nFor local accounts these fields should display \u003cvalue not set\u003e.\r\nPassword Last Set is \u003cnever\u003e\r\nThis typically means this is a manually created user account, which\r\nyou might need to monitor.\r\nPassword Last Set is a time in the\r\nfuture\r\nThis might indicate an anomaly.\r\nAccount Expires is not \u003cnever\u003e\r\nTypically this field is \u003cnever\u003e for new user accounts. Other values\r\nmight indicate an anomaly and should be monitored.\r\nPrimary Group ID is not 513\r\nTypically, the Primary Group value is 513 for domain and local\r\nusers. Other values should be monitored.\r\nAllowed To Delegate To is not -\r\nTypically this field is - for new user accounts. Other values might\r\nindicate an anomaly and should be monitored.\r\nOld UAC Value is not 0x0\r\nTypically this field is 0x0 for new user accounts. Other values\r\nmight indicate an anomaly and should be monitored.\r\nSID History is not -\r\nThis field will always be set to - unless the account was migrated\r\nfrom another domain.\r\nLogon Hours value other than \u003cvalue\r\nnot set\u003e or** “All”**\r\nThis should always be \u003cvalue not set\u003e for new domain user\r\naccounts, and “All” for new local user accounts.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 8 of 9\n\nConsider whether to track the following user account control flags:\r\nUser account control\r\nflag to track\r\nInformation about the flag\r\n'Normal Account' –\r\nDisabled\r\nShould not be disabled for user accounts.\r\n'Encrypted Text\r\nPassword Allowed' –\r\nEnabled\r\n'Smartcard Required' –\r\nEnabled\r\n'Not Delegated' –\r\nEnabled\r\n'Use DES Key Only' –\r\nEnabled\r\n'Don't Require Preauth'\r\n– Enabled\r\n'Trusted To\r\nAuthenticate For\r\nDelegation' – Enabled\r\nBy default, these flags should not be enabled for new user accounts created with\r\nthe “Active Directory Users and Computers” snap-in.\r\n'Server Trust Account' –\r\nEnabled\r\nShould never be enabled for user accounts. Applies only to domain controller\r\n(computer) accounts.\r\n'Don't Expire Password'\r\n– Enabled\r\nShould be monitored for critical accounts, or all accounts if your organization\r\ndoes not allow this flag. By default, this flag should not be enabled for new user\r\naccounts created with the “Active Directory Users and Computers” snap-in.\r\n'Trusted For Delegation'\r\n– Enabled\r\nBy default, this flag should not be enabled for new user accounts created with\r\nthe “Active Directory Users and Computers” snap-in. It is enabled by default\r\nonly for new domain controllers.\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
	],
	"report_names": [
		"event-4720"
	],
	"threat_actors": [],
	"ts_created_at": 1775434813,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0bd12bf5c25937dd786518c2c71704f6e4ba523.pdf",
		"text": "https://archive.orkl.eu/f0bd12bf5c25937dd786518c2c71704f6e4ba523.txt",
		"img": "https://archive.orkl.eu/f0bd12bf5c25937dd786518c2c71704f6e4ba523.jpg"
	}
}