4722 A user account was enabled
Written when a disabled user account is enabled. It captures re-enabling of dormant or former-employee accounts, detecting groundwork for misuse.
Overview
The subcategory is Audit User Account Management. It is generated when an account is switched to enabled. It appears right after a new creation 4720 or when a previously disabled account is reused.
How it is triggered
- Enabling via
net user /active:yes, account enabling in AD,Enable-ADAccount, and so on.
Security review points
- Enabling a former-employee, dormant, or normally-unused account suggests misuse or takeover of an ownerless account. Re-enabling an administrator-level account in particular is notable.
- An attacker may enable an account they had kept disabled to avoid detection, at attack time. Together with creation 4720 and disabling 4725, track the account’s state changes.
Notes for log review
- It also occurs during legitimate operations (return to work, recovery from suspension). Match against the target account’s profile (dormancy period, last logon).
- Monitor enabling of high-privilege and service accounts at high priority.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The enabled account |
Subject\Account Name | The subject that performed the operation |