3,085 questions
Could this be the result of your audit policy? https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
Is there an Event ID (or log somewhere created) when a new LOCAL user account is created on a domain-joined computer?
DoBongSoon
546
Reputation points
Hi,
Is there an Event ID when a new LOCAL user account is created on a domain-joined computer? if so, where can I find it?
I can find 4720 event ID in the domain controllers when a new user account is created in AD. However, we would like to find out if there is any log created when someone creates a local user account on our domain-joined computers.
To test, I created a local account under Computer Management of the machine, but I do not see a corresponding 4720 ID in the Security Log, nor in Applications and Services. This only applies to AD accounts.
Please advise. Thank you.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
Andrew Blumhardt 10,051 Reputation points Microsoft Employee2022-03-26T05:20:18.067+00:00 -
DoBongSoon 546 Reputation points
2022-03-29T23:19:32.043+00:00 @Andrew Blumhardt - Thanks for the reply but our Audit is already turned on. We have no problem auditing accounts created in Active Directory but if the account is created in the Computer Management -> Users of the machine, I don't see a log so I cannot monitor.
Sign in to comment -
-
Limitless Technology 39,931 Reputation points2022-04-01T12:51:31.5+00:00 Hello @DoBongSoon
New local user account creation should trigger a 4720 Event ID. You could look for Event ID 4732: A member was added to a security-enabled local group.
If you need to find out when a local user account was created, you can find the C:\Users\xxx folder and right click it to check the created time.
I hope this answers your question.
Thanks.
--
--If the reply is helpful, please Upvote and Accept as answer--