A user account was changed
On this page
The user identified by Subject: changed the user identified by Target Account:.
Attributes show some of the properties that were set at the time the account was changed.
This event is logged both for local SAM accounts and domain accounts.
Depending on what was changed you may see other User Account Management events specific to certain operations like password resets.
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- Security ID: SID of the account
- Account Name: name of the account
- Account Domain: domain of the account
- SAM Account Name: pre Win2k logon name
- Display Name:
- User Principal Name: user logon name
- Home Directory:
- Home Drive:
- Script Path:
- Profile Path:
- User Workstations: workstation restrictions
- Password Last Set: last time password changed but also used for "user must change password at next logon"
- Account Expires:
- Primary Group ID: SID of primary group
- Allowed To Delegate To: n/a
- Old UAC Value: bitwise representation of Account Options check list
- New UAC Value: bitwise representation of Account Options check list
- User Account Control:
- Account Disabled
- 'Password Not Required' - Enabled
- 'Normal Account' - Enabled
- User Parameters: unkown. Start a discussion below if you have informatino to share!
- SID History: used when migrating legacy domains
- Logon Hours: Day or week and time of day restrictions
- Additional Information:
- Privileges unkown. Start a discussion below if you have informatino to share!
Top 10 Windows Security Events to Monitor
A user account was changed.
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Security ID: ACME-FR\John.Locke
Account Name: John.Locke
Account Domain: ACME-FR
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
Old UAC Value: 0x10
New UAC Value: 0x4010
User Account Control:
'Not Delegated' - Enabled
User Parameters: -
SID History: -
Logon Hours: -
Keep me up-to-date on the Windows Security Log.
*We will NOT share this