Windows Event ID 4720 - User Account Created

Records when a new user account is created on the system or in Active Directory. Critical for detecting unauthorized account creation, persistence mechanisms, and backdoor accounts

View Samples Edit

Quick Facts

Default Path (Linux)

N/A (Windows Event Forwarding to SIEM)

Default Format

Windows Event Log (EVTX)

JSON Native

Rotation

Windows Event Log settings (default 20MB)

Log Example

Default format: Windows Event Log Format

Example Log Entrylog

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 11:00:00 AM
Event ID:      4720
Task Category: User Account Management
Keywords:      Audit Success
Computer:      DC01.corp.local
Description:
A user account was created.

Subject:
    Account Name:       Administrator
    Account Domain:     CORP
    Logon ID:           0x12345678

New Account:
    Account Name:       newuser
    Account Domain:     CORP

Attributes:
    SAM Account Name:   newuser
    Display Name:       New User
    User Principal Name: newuser@corp.local

Structure:

XML-based binary format

Paths by Platform

Available Formats

Windows Event Log Format

Default

Example:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/29/2026 11:00:00 AM
Event ID:      4720
Task Category: User Account Management
Keywords:      Audit Success
Computer:      DC01.corp.local
Description:
A user account was created.

Subject:
    Account Name:       Administrator
    Account Domain:     CORP
    Logon ID:           0x12345678

New Account:
    Account Name:       newuser
    Account Domain:     CORP

Attributes:
    SAM Account Name:   newuser
    Display Name:       New User
    User Principal Name: newuser@corp.local

Structure:

XML-based binary format

XML Format

Example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing"/>
    <EventID>4720</EventID>
    <Computer>DC01.corp.local</Computer>
  </System>
  <EventData>
    <Data Name="TargetUserName">newuser</Data>
    <Data Name="TargetDomainName">CORP</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="SamAccountName">newuser</Data>
  </EventData>
</Event>

Structure:

Native XML representation

Fields Reference

Field	Type	Description	Example
`EventID`	integer	Event identifier (always 4720)	`4720`
`TimeCreated`	datetime	Timestamp when account was created	`2026-01-29T11:00:00.123Z`
`Computer`	string	Computer where account was created (DC for domain accounts)	`DC01.corp.local`
`SubjectUserName`	string	Account that created the new user	`Administrator`
`SubjectDomainName`	string	Domain of creator account	`CORP`
`TargetUserName`	string	Name of newly created account	`newuser`
`TargetDomainName`	string	Domain of new account	`CORP`
`TargetSid`	string	SID of new account	`S-1-5-21-1234567890-1234567890-1234567890-1234`
`SamAccountName`	string	SAM account name	`newuser`
`DisplayName`	string	Display name of new account	`New User`
`UserPrincipalName`	string	UPN of new account	`newuser@corp.local`

Parsing Patterns

Grok Patterns

xml:

<Data Name="TargetUserName">%{DATA:target_username}</Data>.*<Data Name="SubjectUserName">%{DATA:subject_username}</Data>

Regular Expressions

xml:

TargetUserName">(?P<target_username>[^<]+)</Data>.*SubjectUserName">(?P<subject_username>[^<]+)</Data>

Collector Configurations

splunkyaml

1# Account creation tracking
2index=wineventlog EventCode=4720
3| table _time, Computer, SubjectUserName, TargetUserName, TargetDomainName
4
5# Find unusual creators
6index=wineventlog EventCode=4720 NOT SubjectUserName IN (Administrator, svc_provisioning)
7| table _time, SubjectUserName, TargetUserName
8
9# Off-hours creation
10index=wineventlog EventCode=4720
11| eval hour=strftime(_time, "%H")
12| where hour < 6 OR hour > 20

Configuration

Enable Logging

Enable user account management auditing

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Log To Syslog

Forward via WEF

# Include in account management subscription

Use Cases

User provisioning

Track new account creation for HR onboarding

TargetUserName

SubjectUserName

TimeCreated

Troubleshooting

Tested On

vWindows Server 2022 on Windows Server 2022

admin - 2026-01-29

Last updated: 2026-01-29 by admin

1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

Edit Report Issue

Windows Event ID 4720 - User Account Created

Quick Facts

Log Example

Paths by Platform

Available Formats

Windows Event Log Format

XML Format

Fields Reference

Parsing Patterns

Grok Patterns

Regular Expressions

Collector Configurations

Configuration

Enable Logging

Log To Syslog

Use Cases

User provisioning

Troubleshooting

4720 not appearing for domain accounts

Tested On

Community Discussions