Could this be the result of your audit policy? https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
Is there an Event ID (or log somewhere created) when a new LOCAL user account is created on a domain-joined computer?

Hi,
Is there an Event ID when a new LOCAL user account is created on a domain-joined computer? if so, where can I find it?
I can find 4720 event ID in the domain controllers when a new user account is created in AD. However, we would like to find out if there is any log created when someone creates a local user account on our domain-joined computers.
To test, I created a local account under Computer Management of the machine, but I do not see a corresponding 4720 ID in the Security Log, nor in Applications and Services. This only applies to AD accounts.
Please advise. Thank you.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
Andrew Blumhardt 10,051 Reputation points Microsoft Employee
2022-03-26T05:20:18.067+00:00 -
Limitless Technology 39,931 Reputation points
2022-04-01T12:51:31.5+00:00 Hello @DoBongSoon
New local user account creation should trigger a 4720 Event ID. You could look for Event ID 4732: A member was added to a security-enabled local group.
If you need to find out when a local user account was created, you can find the C:\Users\xxx folder and right click it to check the created time.
I hope this answers your question.
Thanks.
--
--If the reply is helpful, please Upvote and Accept as answer--