- Enable audit policies on the Default Domain Controller Security Policy GPO. Enable the "Audit user account management" audit policy.
- Look for event ID 4720 (user account creation), 4722 (user account enabled), 4725 (user account disabled), 4726 (user account deleted) and 4738 (user account changed).
- Keep in mind that when you initially create a user account, AD creates the account as disabled, makes several initial updates to it and then immediately enables it. Therefore you will always see a somewhat bogus occurrence of 4722 associated with each new account created.
![Microsoft Windows Security Event 4726: A user account was removed](https://img.netwrix.com/howtos/ms_windows_security_event_user_account_was_removed.png)
- Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory Changes" → Select "User Account Changes" → Click "View".
If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.
![Netwrix Auditor User Account Changes Report: Shows changes to user accounts (creation, modification and deletion)](https://img.netwrix.com/howtos/na_report_user_account_changes.jpg)