Windows Security Log Event ID 4722

4722: A user account was enabled

On this page

• Description of this event
• Field level details
• Examples

The user identified by Subject: enabed the user identified by Target Account:. 

This event is logged both for local SAM accounts and domain accounts.

This event is always logged after event 4720 - user account creation.

You will also see event ID 4738 informing you of the same information.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4722

Subject:

The user and logon session that performed the action.

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Target Account: 

• Security ID:  SID of the account
• Account Name:  name of the account
• Account Domain: domain of the account

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Mini-Seminars Covering Event ID 4722 Monitoring Active Directory for Security and Compliance: How Far Does the Native Audit Log Take You? Building a Security Dashboard for Your Senior Executives Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean Top 12 Events to Monitor in the Windows Server Security Log Detecting Persistence: Top 9 Security Changes to Monitor on Windows Server Security Log Deep Dive: Mapping Active Directory Authentication and Account Management Events to MITRE ATT&CK TTPs Assessing the Security of Your Active Directory: User Accounts

 

Upcoming Webinars

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy