Windows Security Log Event ID 4738

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Account Management
 • User Account Management
Type Success
Corresponding events
in Windows 2003
and before
642  
Discussions on Event ID 4738
4738: User account Change
Logon ID 0x3e6
Retrieving full text of event log message
How to write and view CUSTOM attributes value in the 4738 Event attributes list?
Anonymous Logon as Subject

4738: A user account was changed

On this page

The user identified by Subject: changed the user identified by Target Account:. 

Attributes show some of the properties that were set at the time the account was changed. 

This event is logged both for local SAM accounts and domain accounts.

Depending on what was changed you may see other User Account Management events specific to certain operations like password resets.

Free Security Log Resources by Randy

Description Fields in 4738

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Target Account: 

  • Security ID:  SID of the account
  • Account Name:  name of the account
  • Account Domain: domain of the account

Attributes:

  • SAM Account Name: pre Win2k logon name
  • Display Name:
  • User Principal Name: user logon name
  • Home Directory:
  • Home Drive:
  • Script Path:
  • Profile Path:
  • User Workstations: workstation restrictions
  • Password Last Set: last time password changed but also used for "user must change password at next logon"
  • Account Expires:
  • Primary Group ID: SID of primary group
  • Allowed To Delegate To: n/a
  • Old UAC Value:  bitwise representation of Account Options check list
  • New UAC Value:  bitwise representation of Account Options check list
  • User Account Control:
  • Account Disabled
  • 'Password Not Required' - Enabled
  • 'Normal Account' - Enabled
  • User Parameters: unkown.  Start a discussion below if you have informatino to share!
  • SID History:  used when migrating legacy domains
  • Logon Hours:  Day or week and time of day restrictions
  • Additional Information:
  • Privileges  unkown.  Start a discussion below if you have informatino to share!

Supercharger Free Edition

 

Centrally manage WEC subscriptions.

Free.

 

Examples of 4738

A user account was changed.

Subject:

   Security ID:  ACME-FR\administrator
   Account Name:  administrator
   Account Domain:  ACME-FR
   Logon ID:  0x20f9d

Target Account:

   Security ID:  ACME-FR\John.Locke
   Account Name:  John.Locke
   Account Domain:  ACME-FR

Changed Attributes:

   SAM Account Name: -
   Display Name:  -
   User Principal Name: -
   Home Directory:  -
   Home Drive:  -
   Script Path:  -
   Profile Path:  -
   User Workstations: -
   Password Last Set: -
   Account Expires:  -
   Primary Group ID: -
   AllowedToDelegateTo: -
   Old UAC Value:  0x10
   New UAC Value:  0x4010
   User Account Control:
   'Not Delegated' - Enabled
   User Parameters: -
   SID History:  -
   Logon Hours:  -

 
Additional Information:

   Privileges:  -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources