Windows Security Log Event ID 624

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryAccount Management
Type Success
Corresponding events
in Windows 2008
and Vista
4720  

624: User Account Created

On this page

"Caller user" created "new account". This event will be accompanied by at least 2 subsequent event ID 642s and one 627.

Free Security Log Resources by Randy

Description Fields in 624

  • New Account Name: %1
  • New Domain: %2
  • New Account ID: %3
  • Caller User Name: %4
  • Caller Domain: %5
  • Caller Logon ID: %6
  • Privileges  %7

Attributes: (Windows 2003)

  • Sam Account Name: %8
  • Display Name: %9
  • User Principal Name: %10
  • Home Directory: %11
  • Home Drive: %12
  • Script Path: %13
  • Profile Path: %14
  • User Workstations: %15
  • Password Last Set: %16
  • Account Expires: %17
  • Primary Group ID: %18
  • AllowedToDelegateTo: %19
  • Old UAC Value: %20
  • New UAC Value: %21
  • User Account Control: %22
  • User Parameters: %23
  • Sid History: %24
  • Logon Hours: %25

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 624

User Account Created:
New Account Name:harold
New Domain:ELM
New Account ID:ELM\harold
Caller User Name:administrator
Caller Domain:ELM
Caller Logon ID:(0x0,0x158EB7)
Privileges-

Windows Server 2003 adds these fields

Attributes:
Sam Account Name:harold
Display Name:harold
User Principal Name:harold@elm.local
Home Directory:-
Home Drive:-
Script Path:-
Profile Path:-
User Workstations:-
Password Last Set:

Account Expires:

Primary Group ID:513
AllowedToDelegateTo:-
Old UAC Value:0x0
New UAC Value:0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters:-
Sid History:-
Logon Hours:

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources