How do I get notified when a new user is created in Active Directory?

Article ID: 403
Category: Security
Updated: 2020-08-24

The easiest way to get notified in real-time whenever a user is created in Active Directory is by forwarding “Microsoft-Windows-Security-Auditing” event 4720. This event is logged to the Security event log whenever an Active Directory user is created.

More information on event id 4720, including associated audit settings, is available on system32.eventsentry.com

  1. Open the management console and either find an existing event log package to add this new filter rule to, or create a new event log package.
  2. Make sure the package is assigned correctly (e.g. your domain controllers) or make it global and use dynamic activation to only apply this package to domain controllers.
  3. Create a new event log filter that matches the following properties: Event Log: Security Severity: Audit Success Source: Microsoft-Windows-Security-Auditing Category: User Account Management Event ID: 4720
  4. Assign an action to the event log filter.