Can I monitor local windows server account creation?

Can Orion 2018.2  monitor the creation of local user accounts on servers and send out alerts. security dept wants to be alerted to the creation of any local account on a server.


  • Assuming you have SAM yes, local account creation registers an event 4720 in Windows.  There is an OOTB template called Domain Controller Security that has a monitor for that event ID, but if you want to monitor it on all servers then you would probably want to copy it out of that template and create a new template that you would need to apply to all windows servers.