Event ID 4742

A computer account was changed 

A computer account was changed.

Subject:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Computer Account That Was Changed:
    Security ID:        %4
    Account Name:       %2
    Account Domain:     %3

Changed Attributes:
    SAM Account Name:     %10
    Display Name:         %11
    User Principal Name:  %12
    Home Directory:       %13
    Home Drive:           %14
    Script Path:          %15
    Profile Path:         %16
    User Workstations:    %17
    Password Last Set:    %18
    Account Expires:      %19
    Primary Group ID:     %20
    AllowedToDelegateTo:  %21
    Old UAC Value:        %22
    New UAC Value:        %23
    User Account Control: %24
    User Parameters:      %25
    SID History:          %26
    Logon Hours:          %27
    DNS Host Name:        %28
    Service Principal Names:    %29

Additional Information:
    Privileges:     %9


This event generates every time a computer object is changed.

You might see the same values for Subject\Security ID and Computer Account That Was Changed\Security ID in this event. This usually happens when you reboot a computer after adding it to the domain (the change takes effect after the reboot).

For each change, a separate 4742 event will be generated.

Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in Managed By tab in computer account properties.

You might see this event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the discretionary access control list (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.

Important: If you manually change any user-related setting or attribute, for example if you set the SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType of the computer account will be changed to NORMAL_USER_ACCOUNT and you will get “4738: A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL_USER_ACCOUNT you will always get events from Audit User Account Management subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.

Auditing:     Always

Keeps track of who modified a computer account when.


Volume:     Low


Microsoft Documentation

Event ID - 4742



Name Field Insertion String OS Example
N/A ComputerAccountChange %1 Any -
Account Name TargetUserName %2 Any COMPUTERNAME$
Account Domain TargetDomainName %3 Any DOMAIN
Security ID TargetSid %4 Any DOMAIN\ComputerName$
Security ID SubjectUserSid %5 Any DOMAIN\TheAdmin
Account Name SubjectUserName %6 Any TheAdmin
Account Domain SubjectDomainName %7 Any DOMAIN
Logon ID SubjectLogonId %8 Any 0x2e80c
Privileges PrivilegeList %9 Any View Codes
SAM Account Name SamAccountName %10 Any -
Display Name DisplayName %11 Any -
User Principal Name UserPrincipalName %12 Any -
Home Directory HomeDirectory %13 Any -
Home Drive HomePath %14 Any -
Script Path ScriptPath %15 Any -
Profile Path ProfilePath %16 Any -
User Workstations UserWorkstations %17 Any -
Password Last Set PasswordLastSet %18 Any -
Account Expires AccountExpires %19 Any -
Primary Group ID PrimaryGroupId %20 Any -
AllowedToDelegateTo AllowedToDelegateTo %21 Any dcom/COMPUTER2.domain.local
Old UAC Value OldUacValue %22 Any 0x80
New UAC Value NewUacValue %23 Any 0x80080
User Account Control UserAccountControl %24 Any 'Trusted For Delegation' - Enabled
User Parameters UserParameters %25 Any -
SID History SidHistory %26 Any -
Logon Hours LogonHours %27 Any -
DNS Host Name DnsHostName %28 Any -
Service Principal Names ServicePrincipalNames %29 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Computer Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Domain Controller Audit Success
Audit Category:
Account Management

Audit Subcategory:
Computer Account Management
Legacy Events:
646

LEFT/RIGHT arrow keys for navigation

Back to List