{
	"id": "e8e59aac-400c-4387-8989-f59ed0b1b36b",
	"created_at": "2026-04-06T01:30:11.678725Z",
	"updated_at": "2026-04-10T13:12:51.214967Z",
	"deleted_at": null,
	"sha1_hash": "98cc2e1a800a56b01265b54a86250f3485c09c5a",
	"title": "4738(S) A user account was changed. - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145275,
	"plain_text": "4738(S) A user account was changed. - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-06 00:45:37 UTC\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 1 of 12\n\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 2 of 12\n\nSubcategory: Audit User Account Management\nEvent Description:\nThis event generates every time user object is changed.\nThis event generates on domain controllers, member servers, and workstations.\nFor each change, a separate 4738 event will be generated.\nYou might see this event without any changes inside, that is, where all Changed Attributes appear as - . This\nusually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to\ndetermine which attribute was changed. For example, if the discretionary access control list (DACL) is changed, a\n4738 event will generate, but all attributes will be - .\nSome changes do not invoke a 4738 event.\nNote\nFor recommendations, see Security Monitoring Recommendations for this event.\nEvent XML:\n- - 4738001382400x8020000000000000175413SecurityDC01.contoso.local https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\nPage 3 of 12\n\n- \u003cEventData\u003e\r\n \u003cData Name=\"Dummy\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"TargetUserName\"\u003eksmith\u003c/Data\u003e\r\n \u003cData Name=\"TargetDomainName\"\u003eCONTOSO\u003c/Data\u003e\r\n \u003cData Name=\"TargetSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-6609\u003c/Data\u003e\r\n \u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\r\n \u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\r\n \u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\r\n \u003cData Name=\"SubjectLogonId\"\u003e0x30dc2\u003c/Data\u003e\r\n \u003cData Name=\"PrivilegeList\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"SamAccountName\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"DisplayName\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"UserPrincipalName\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"HomeDirectory\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"HomePath\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"ScriptPath\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"ProfilePath\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"UserWorkstations\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"PasswordLastSet\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"AccountExpires\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"PrimaryGroupId\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"AllowedToDelegateTo\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"OldUacValue\"\u003e0x15\u003c/Data\u003e\r\n \u003cData Name=\"NewUacValue\"\u003e0x211\u003c/Data\u003e\r\n \u003cData Name=\"UserAccountControl\"\u003e%%2050 %%2089\u003c/Data\u003e\r\n \u003cData Name=\"UserParameters\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"SidHistory\"\u003e-\u003c/Data\u003e\r\n \u003cData Name=\"LogonHours\"\u003e-\u003c/Data\u003e\r\n \u003c/EventData\u003e\r\n \u003c/Event\u003e\r\nRequired Server Roles: None.\r\nMinimum OS Version: Windows Server 2008, Windows Vista.\r\nEvent Versions: 0.\r\nField Descriptions:\r\nSubject:\r\nSecurity ID [Type = SID]: SID of account that requested the “change user account” operation. Event\r\nViewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you\r\nwill see the source data in the event.\r\nNote\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 4 of 12\n\nA security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each\r\naccount has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored\r\nin a security database. Each time a user logs on, the system retrieves the SID for that user from the database and\r\nplaces it in the access token for that user. The system uses the SID in the access token to identify the user in all\r\nsubsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or\r\ngroup, it cannot ever be used again to identify another user or group. For more information about SIDs, see\r\nSecurity identifiers.\r\nAccount Name [Type = UnicodeString]: the name of the account that requested the “change user account”\r\noperation.\r\nAccount Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include\r\nthe following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,\r\nthe value of this field is “NT AUTHORITY”.\r\nFor local user accounts, this field will contain the name of the computer or device that this account\r\nbelongs to, for example: “Win81”.\r\nLogon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events\r\nthat might contain the same Logon ID, for example, “4624: An account was successfully logged on.”\r\nTarget Account:\r\nSecurity ID [Type = SID]: SID of account that was changed. Event Viewer automatically tries to resolve\r\nSIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.\r\nAccount Name [Type = UnicodeString]: the name of the account that was changed.\r\nAccount Domain [Type = UnicodeString]: target account’s domain or computer name. Formats vary, and\r\ninclude the following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor local user accounts, this field will contain the name of the computer or device that this account\r\nbelongs to, for example: “Win81”.\r\nChanged Attributes:\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 5 of 12\n\nIf attribute was not changed it will have “–“ value.\r\nUnfortunately, for local accounts, all fields, except changed attributes, will have previous values populated. Also,\r\nthe User Account Control field will have values only if it was modified. Changed attributes will have new values,\r\nbut it is hard to understand which attribute was really changed.\r\nSAM Account Name [Type = UnicodeString]: logon name for account used to support clients and servers\r\nfrom previous versions of Windows (pre-Windows 2000 logon name). If the value of sAMAccountName\r\nattribute of user object was changed, you will see the new value here. For example: ladmin. For local\r\naccounts, this field always has some value—if the account's attribute was not changed it will contain the\r\ncurrent value of the attribute.\r\nDisplay Name [Type = UnicodeString]: it is a name, displayed in the address book for a particular account.\r\nThis is usually the combination of the user's first name, middle initial, and last name. You can change this\r\nattribute by using Active Directory Users and Computers, or through a script, for example. If the value of\r\ndisplayName attribute of user object was changed, you will see the new value here. For local accounts,\r\nthis field always has some value—if the account's attribute was not changed it will contain the current\r\nvalue of the attribute.\r\nUser Principal Name [Type = UnicodeString]: internet-style login name for the account, based on the\r\nInternet standard RFC 822. By convention this should map to the account's email name. If the value of\r\nuserPrincipalName attribute of user object was changed, you will see the new value here. You can change\r\nthis attribute by using Active Directory Users and Computers, or through a script, for example. For local\r\naccounts, this field is not applicable and always has - value.\r\nHome Directory [Type = UnicodeString]: user's home directory. If homeDrive attribute is set and\r\nspecifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the\r\nform \\\\Server\\Share\\Directory. If the value of homeDirectory attribute of user object was changed, you\r\nwill see the new value here. You can change this attribute by using Active Directory Users and Computers,\r\nor through a script, for example. For local accounts, this field always has some value—if the account's\r\nattribute was not changed it will contain the current value of the attribute.\r\nHome Drive [Type = UnicodeString]: specifies the drive letter to which to map the UNC path specified by\r\nhomeDirectory account’s attribute. The drive letter must be specified in the form “DRIVE_LETTER:”.\r\nFor example – “H:”. If the value of homeDrive attribute of user object was changed, you will see the new\r\nvalue here. You can change this attribute by using Active Directory Users and Computers, or through a\r\nscript, for example. For local accounts, this field always has some value—if the account's attribute was not\r\nchanged it will contain the current value of the attribute.\r\nScript Path [Type = UnicodeString]: specifies the path of the account’s logon script. If the value of\r\nscriptPath attribute of user object was changed, you will see the new value here. You can change this\r\nattribute by using Active Directory Users and Computers, or through a script, for example. For local\r\naccounts, this field always has some value—if the account's attribute was not changed it will contain the\r\ncurrent value of the attribute.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 6 of 12\n\nProfile Path [Type = UnicodeString]: specifies a path to the account's profile. This value can be a null\r\nstring, a local absolute path, or a UNC path. If the value of profilePath attribute of user object was\r\nchanged, you will see the new value here. You can change this attribute by using Active Directory Users\r\nand Computers, or through a script, for example. For local accounts, this field always has some value—if\r\nthe account's attribute was not changed it will contain the current value of the attribute.\r\nUser Workstations [Type = UnicodeString]: contains the list of NetBIOS or DNS names of the computers\r\nfrom which the user can logon. Each computer name is separated by a comma. The name of a computer is\r\nthe sAMAccountName property of a computer object. If the value of userWorkstations attribute of user\r\nobject was changed, you will see the new value here. You can change this attribute by using Active\r\nDirectory Users and Computers, or through a script, for example. For local accounts, this field is not\r\napplicable and always appears as \u003cvalue not set\u003e .\r\nPassword Last Set [Type = UnicodeString]: last time the account’s password was modified. If the value of\r\npwdLastSet attribute of user object was changed, you will see the new value here. For example: 8/12/2015\r\n11:41:39 AM. This value will be changed, for example, after manual user account password reset. For local\r\naccounts, this field always has some value—if the account's attribute was not changed it will contain the\r\ncurrent value of the attribute.\r\nAccount Expires [Type = UnicodeString]: the date when the account expires. If the value of\r\naccountExpires attribute of user object was changed, you will see the new value here. . For example,\r\n“9/21/2015 12:00:00 AM”. You can change this attribute by using Active Directory Users and Computers,\r\nor through a script, for example. For local accounts, this field always has some value—if the account's\r\nattribute was not changed it will contain the current value of the attribute.\r\nPrimary Group ID [Type = UnicodeString]: Relative Identifier (RID) of user’s object primary group.\r\nNote\r\nRelative identifier (RID) is a variable length number that is assigned to objects at creation and becomes part of\r\nthe object's Security Identifier (SID) that uniquely identifies an account or group within a domain.\r\nThis field will contain some value if user’s object primary group was changed. You can change user’s primary\r\ngroup using Active Directory Users and Computers management console in the Member Of tab of user object\r\nproperties. You will see a RID of new primary group as a field value. For example, RID 513 (Domain Users) is a\r\ndefault primary group for users.\r\nTypical Primary Group values for user accounts:\r\n513 (Domain Users. For local accounts this RID means Users) – for domain and local users.\r\nSee the well-known security principals for more information. If the value of primaryGroupID attribute of\r\nuser object was changed, you will see the new value here.\r\nAllowedToDelegateTo [Type = UnicodeString]: the list of SPNs to which this account can present\r\ndelegated credentials. Can be changed using Active Directory Users and Computers management console\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 7 of 12\n\nin Delegation tab of user account, if at least one SPN is registered for user account. If the SPNs list on\r\nDelegation tab of a user account was changed, you will see the new SPNs list in AllowedToDelegateTo\r\nfield (note that you will see the new list instead of changes) of this event. This is an example of\r\nAllowedToDelegateTo:\r\ndcom/WIN2012\r\ndcom/WIN2012.contoso.local\r\nIf the value of msDS-AllowedToDelegateTo attribute of user object was changed, you will see the\r\nnew value here.\r\nThe value can be \u003cvalue not set\u003e , for example, if delegation was disabled.\r\nFor local accounts, this field is not applicable and always has - value.\r\nNote\r\nService Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you\r\ninstall multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A\r\ngiven service instance can have multiple SPNs if there are multiple names that clients might use for\r\nauthentication. For example, an SPN always includes the name of the host computer on which the service instance\r\nis running, so a service instance might register an SPN for each name or alias of its host.\r\nOld UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,\r\nscript, and other behavior for the user or computer account. This parameter contains the previous value of\r\nthe SAM implementation of account flags (definition differs from userAccountControl in AD).\r\nNew UAC Value [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable,\r\nscript, and other behavior for the user or computer account. This parameter contains the value of the SAM\r\nimplementation of account flags (definition differs from userAccountControl in AD). If the value was\r\nchanged, you will see the new value here. For a list of account flags you may see here, refer to [MS-SAMR]: USER_ACCOUNT Codes.\r\nUser Account Control [Type = UnicodeString]: shows the list of changes in userAccountControl\r\nattribute. You will see a line of text for each change. See possible values in here: User’s or Computer’s\r\naccount UAC flags. In the “User Account Control field text” column, you can see the text that will be\r\ndisplayed in the User Account Control field in 4738 event.\r\nUser Parameters [Type = UnicodeString]: if you change any setting using Active Directory Users and\r\nComputers management console in Dial-in tab of user’s account properties, then you will see \u003cvalue\r\nchanged, but not displayed\u003e in this field. For local accounts, this field is not applicable and always has\r\n\u003cvalue not set\u003e value.\r\nSID History [Type = UnicodeString]: contains previous SIDs used for the object if the object was moved\r\nfrom another domain. Whenever an object is moved from one domain to another, a new SID is created and\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 8 of 12\n\nbecomes the objectSID. The previous SID is added to the sIDHistory property. If the value of sIDHistory\r\nattribute of user object was changed, you will see the new value here.\r\nLogon Hours [Type = UnicodeString]: hours that the account is allowed to logon to the domain. If the\r\nvalue of logonHours attribute of user object was changed, you will see the new value here. You can change\r\nthis attribute by using Active Directory Users and Computers, or through a script, for example. Here is an\r\nexample of this field:\r\nSunday 12:00 AM - 7:00 PM\r\nSunday 9:00 PM -Monday 1:00 PM\r\nMonday 2:00 PM -Tuesday 6:00 PM\r\nTuesday 8:00 PM -Wednesday 10:00 AM\r\nFor local accounts this field is not applicable and typically has value “All”.\r\nAdditional Information:\r\nPrivileges [Type = UnicodeString]: the list of user privileges which were used during the operation, for\r\nexample, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as\r\n“-”. See full list of user privileges in “Table 8. User Privileges.”.\r\nFor 4738(S): A user account was changed.\r\nSome organizations monitor every 4738 event.\r\nIf you have critical user computer accounts (for example, domain administrator accounts or service\r\naccounts) for which you need to monitor each change, monitor this event with the “Target\r\nAccount\\Account Name” that corresponds to the critical account or accounts.\r\nIf you have user accounts for which any change in the services list on the Delegation tab should be\r\nmonitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was\r\nchanged.\r\nConsider whether to track the following fields:\r\nField to track Reason to track\r\nDisplay Name\r\nUser Principal Name\r\nHome Directory\r\nHome Drive\r\nScript Path\r\nProfile Path\r\nUser Workstations\r\nPassword Last Set\r\nWe recommend monitoring all changes for these fields\r\nfor critical domain and local accounts.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 9 of 12\n\nField to track Reason to track\r\nAccount Expires\r\nPrimary Group ID\r\nLogon Hours\r\nPrimary Group ID is not 513\r\nTypically, the Primary Group value is 513 for domain\r\nand local users. Other values should be monitored.\r\nFor user accounts for which the services list (on\r\nthe Delegation tab) should not be empty:\r\nAllowedToDelegateTo is marked \u003cvalue not\r\nset\u003e\r\nIf AllowedToDelegateTo is marked \u003cvalue not\r\nset\u003e on user accounts that previously had a services\r\nlist (on the Delegation tab), it means the list was\r\ncleared.\r\nSID History is not -\r\nThis field will always be set to - unless the account\r\nwas migrated from another domain.\r\nConsider whether to track the following user account control flags:\r\nUser account control\r\nflag to track\r\nInformation about the flag\r\n'Normal Account' –\r\nDisabled\r\nShould not be disabled for user accounts.\r\n'Password Not\r\nRequired' – Enabled\r\nShould not typically be enabled for user accounts because it weakens security for\r\nthe account.\r\n'Encrypted Text\r\nPassword Allowed' –\r\nEnabled\r\nShould not typically be enabled for user accounts because it weakens security for\r\nthe account.\r\n'Server Trust\r\nAccount' – Enabled\r\nShould never be enabled for user accounts. Applies only to domain controller\r\n(computer) accounts.\r\n'Don't Expire\r\nPassword' – Enabled\r\nShould be monitored for critical accounts, or all accounts if your organization does\r\nnot allow this flag.\r\n'Smartcard\r\nRequired' – Enabled\r\nShould be monitored for critical accounts.\r\n'Password Not\r\nRequired' – Disabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\n'Encrypted Text\r\nPassword Allowed' –\r\nDisabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 10 of 12\n\nUser account control\r\nflag to track\r\nInformation about the flag\r\n'Don't Expire\r\nPassword' – Disabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\n'Smartcard\r\nRequired' – Disabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\n'Trusted For\r\nDelegation' – Enabled\r\nMeans that Kerberos Constraint or Unconstraint delegation was enabled for the\r\nuser account. We recommend monitoring this to discover whether it is an approved\r\naction (done by an administrator), a mistake, or a malicious action.\r\n'Trusted For\r\nDelegation' –\r\nDisabled\r\nMeans that Kerberos Constraint or Unconstraint delegation was disabled for the\r\nuser account. We recommend monitoring this to discover whether it is an approved\r\naction (done by an administrator), a mistake, or a malicious action.\r\nAlso, if you have a list of user accounts for which delegation is critical and should\r\nnot be disabled, monitor this for those accounts.\r\n'Trusted To\r\nAuthenticate For\r\nDelegation' – Enabled\r\nMeans that Protocol Transition delegation was enabled for the user account. We\r\nrecommend monitoring this to discover whether it is an approved action (done by\r\nan administrator), a mistake, or a malicious action.\r\n'Trusted To\r\nAuthenticate For\r\nDelegation' –\r\nDisabled\r\nMeans that Protocol Transition delegation was disabled for the user account. We\r\nrecommend monitoring this to discover whether it is an approved action (done by\r\nan administrator), a mistake, or a malicious action.\r\nAlso, if you have a list of user accounts for which delegation is critical and should\r\nnot be disabled, monitor this for those accounts.\r\n'Not Delegated' –\r\nEnabled\r\nMeans that Account is sensitive and cannot be delegated was checked for the\r\nuser account. We recommend monitoring this to discover whether it is an approved\r\naction (done by an administrator), a mistake, or a malicious action.\r\n'Not Delegated' –\r\nDisabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\nMeans that Account is sensitive and cannot be delegated was unchecked for the\r\nuser account. We recommend monitoring this to discover whether it is an approved\r\naction (done by an administrator), a mistake, or a malicious action.\r\n'Use DES Key Only'\r\n– Enabled\r\nShould not typically be enabled for user accounts because it weakens security for\r\nthe account’s Kerberos authentication.\r\n'Don't Require\r\nPreauth' – Enabled\r\nShould not be enabled for user accounts because it weakens security for the\r\naccount’s Kerberos authentication.\r\n'Use DES Key Only'\r\n– Disabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 11 of 12\n\nUser account control\r\nflag to track\r\nInformation about the flag\r\n'Don't Require\r\nPreauth' – Disabled\r\nShould be monitored for all accounts where the setting should be “Enabled.”\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"
	],
	"report_names": [
		"event-4738"
	],
	"threat_actors": [],
	"ts_created_at": 1775439011,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98cc2e1a800a56b01265b54a86250f3485c09c5a.pdf",
		"text": "https://archive.orkl.eu/98cc2e1a800a56b01265b54a86250f3485c09c5a.txt",
		"img": "https://archive.orkl.eu/98cc2e1a800a56b01265b54a86250f3485c09c5a.jpg"
	}
}