Event ID: 4738

A user account was changed 

A user account was changed.

Subject:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Target Account:
    Security ID:        %4
    Account Name:       %2
    Account Domain:     %3

Changed Attributes:
    SAM Account Name:     %10
    Display Name:         %11
    User Principal Name:  %12
    Home Directory:       %13
    Home Drive:           %14
    Script Path:          %15
    Profile Path:         %16
    User Workstations:    %17
    Password Last Set:    %18
    Account Expires:      %19
    Primary Group ID:     %20
    AllowedToDelegateTo:  %21
    Old UAC Value:        %22
    New UAC Value:        %23
    User Account Control: %24
    User Parameters:      %25
    SID History:          %26
    Logon Hours:          %27

Additional Information:
    Privileges:     %9


This event generates every time user object is changed.

This event generates on domain controllers, member servers, and workstations.

For each change, a separate 4738 event will be generated.

You might see this event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the discretionary access control list (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.

ISO 27001:2013 A.9.2.1
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2 (4)
CMMC v2 L1: AC.L1-3.1.1


Microsoft Documentation

Event ID - 4738



Name Field Insertion String OS Example
N/A Dummy %1 Any -
Account Name TargetUserName %2 Any UserName
Account Domain TargetDomainName %3 Any DOMAIN
Security ID TargetSid %4 Any S-1-5-21-3457937927-2839227994-823803824-6609
Security ID SubjectUserSid %5 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %6 Any dadmin
Account Domain SubjectDomainName %7 Any DOMAIN
Logon ID SubjectLogonId %8 Any 0x30dc2
Privileges PrivilegeList %9 Any View Codes
SAM Account Name SamAccountName %10 Any -
Display Name DisplayName %11 Any -
User Principal Name UserPrincipalName %12 Any -
Home Directory HomeDirectory %13 Any -
Home Drive HomePath %14 Any -
Script Path ScriptPath %15 Any -
Profile Path ProfilePath %16 Any -
User Workstations UserWorkstations %17 Any -
Password Last Set PasswordLastSet %18 Any -
Account Expires AccountExpires %19 Any -
Primary Group ID PrimaryGroupId %20 Any -
AllowedToDelegateTo AllowedToDelegateTo %21 Any -
Old UAC Value OldUacValue %22 Any 0x15
New UAC Value NewUacValue %23 Any 0x211
User Account Control UserAccountControl %24 Any %%2050 %%2089
User Parameters UserParameters %25 Any -
SID History SidHistory %26 Any -
Logon Hours LogonHours %27 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
ISO 27001:2013 NIST 800-171 NIST SP 800-53 Audit Success CMMC L1
Audit Category:
Account Management

Audit Subcategory:
User Account Management
Legacy Events:
642

LEFT/RIGHT arrow keys for navigation

Back to List