Event ID 4781

The name of an account was changed 

The name of an account was changed:

Subject:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Target Account:
    Security ID:        %4
    Account Domain:     %3
    Old Account Name:   %1
    New Account Name:   %2

Additional Information:
    Privileges:         %9


This event generates every time a user or computer account name (sAMAccountName attribute) is changed.

For user accounts, this event generates on domain controllers, member servers, and workstations.

For computer accounts, this event generates only on domain controllers.

Auditing:     Always


Microsoft Documentation

Event ID - 4781



Name Field Insertion String OS Example
Old Account Name OldTargetUserName %1 Any Admin
New Account Name NewTargetUserName %2 Any MainAdmin
Account Domain TargetDomainName %3 Any DOMAIN
Security ID TargetSid %4 Any S-1-5-21-3457937927-2839227994-823803824-6117
Security ID SubjectUserSid %5 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %6 Any dadmin
Account Domain SubjectDomainName %7 Any DOMAIN
Logon ID SubjectLogonId %8 Any 0x30d5f
Privileges PrivilegeList %9 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
User Account Management
Legacy Events:
685

LEFT/RIGHT arrow keys for navigation

Back to List