SOC Event Lookup
Event ID 4722AccountMgmtP2

Windows Event ID 4722: A user account was enabled

Event ID 4722 records enabling of a user account.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-11

Trigger Scenarios

Windows logs it when an administrator or workflow enables a local or domain account.

Key Fields

Target Account

The account enabled; dormant, disabled, and privileged accounts require context.

Subject

The actor who enabled it.

Target SID

A stable identity for correlating renamed accounts.

Common False Positives

  • Onboarding and identity workflows enable valid accounts.
  • Helpdesk staff re-enable accounts after lockout or leave.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation

Detection Notes

T1098 persistence is concrete when an account disabled by 4725 is re-enabled by 4722 and receives a Type 10 4624 within 60 minutes. The 60-minute sequence distinguishes ordinary onboarding from rapid restoration of a dormant access path.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4722
| project TimeGenerated, Computer, Account, TargetAccount, TargetSid
Splunk SPL
index=wineventlog EventCode=4722 | table _time, host, SubjectUserName, TargetUserName, TargetSid
Sample Log
Subject: CORP\admin.ops
Target Account: CORP\former.user
Target SID: S-1-5-21-REDACTED

Source