Event ID: 4781

The name of an account was changed

The name of an account was changed:

Subject:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:       %8

Target Account:
    Security ID:        %4
    Account Domain:     %3
    Old Account Name:   %1
    New Account Name:   %2

Additional Information:
    Privileges:     %9
Microsoft Documentation

Event ID - 4781



This event generates every time a user or computer account name (sAMAccountName attribute) is changed.

For user accounts, this event generates on domain controllers, member servers, and workstations.

For computer accounts, this event generates only on domain controllers.



Name Field Insertion String OS Example
Old Account Name OldTargetUserName %1 Any Admin
New Account Name NewTargetUserName %2 Any MainAdmin
Account Domain TargetDomainName %3 Any DOMAIN
Security ID TargetSid %4 Any S-1-5-21-3457937927-2839227994-823803824-6117
Security ID SubjectUserSid %5 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %6 Any dadmin
Account Domain SubjectDomainName %7 Any DOMAIN
Logon ID SubjectLogonId %8 Any 0x30d5f
Privileges PrivilegeList %9 Any -


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List