Event ID: 4781

The name of an account was changed

The name of an account was changed:

    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Target Account:
    Security ID:        %4
    Account Domain:     %3
    Old Account Name:   %1
    New Account Name:   %2

Additional Information:
    Privileges:         %9

This event generates every time a user or computer account name (sAMAccountName attribute) is changed.

For user accounts, this event generates on domain controllers, member servers, and workstations.

For computer accounts, this event generates only on domain controllers.

Auditing:     Always

Microsoft Documentation

Event ID - 4781

Name Field Insertion String OS Example
Old Account Name OldTargetUserName %1 Any Admin
New Account Name NewTargetUserName %2 Any MainAdmin
Account Domain TargetDomainName %3 Any DOMAIN
Security ID TargetSid %4 Any S-1-5-21-3457937927-2839227994-823803824-6117
Security ID SubjectUserSid %5 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %6 Any dadmin
Account Domain SubjectDomainName %7 Any DOMAIN
Logon ID SubjectLogonId %8 Any 0x30d5f
Privileges PrivilegeList %9 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"

LEFT/RIGHT arrow keys for navigation

Back to List