Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Windows Event ID 4742 - A computer account was changed

Introduction

There may be times when event ID 4742 doesn’t show any changes, i.e. all Changed Attributes appear as “-”. This usually happens when a change is made to an attribute that is not listed in the event, like the discretionary access control list (DACL). In this case, there is no way to determine which attribute was changed.

Description of the event fields.

Figure 1. Event ID 4742 — General tab under Event Properties.

Event ID 4742 — General tab under Event Properties.

Figure 2. Event ID 4742 — Details tab under Event Properties.

Event ID 4742 — Details tab under Event Properties.

user-management-reports

Security ID: The SID of the account that made an attempt to change a computer account.

Account Name: The name of the account that made an attempt to change a computer account.

Account Domain: The Subject's domain name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.

Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4624).

Security ID: The SID of the computer account that was modified.

Account Name: The name of the account that was modified.

Account Domain: The domain name of the computer account that was changed. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.

SAM Account Name: The pre-Windows 2000 logon name.

Display Name: Usually a combination of the user's first name, middle initial, and last name. This attribute is optional for computer objects and is typically not preset.

User Principal Name: The internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email address.This attribute is optional for computer objects and is typically not preset.

Home Directory: The user's home directory. This attribute is optional for computer objects and is typically not preset.
If the homeDrive attribute is set and specifies a drive letter, the homeDirectory should be a Universal Naming Convention (UNC) path and the path must be a network UNC of the form \\Server\Share\Directory.

Home Drive: The drive letter to which to map the UNC path specified by the account's homeDirectory attribute. This attribute is optional for computer objects and is typically not preset.

Script Path: The path of the account’s logon script. This attribute is optional for computer objects and is typically not preset.

Profile Path: A path to the account's profile. This attribute is optional for computer objects and is typically not preset.

User Workstations:The list of NetBIOS or DNS names of the computers from which the user can log on. Each computer name is separated by a comma. This attribute is optional for computer objects and is typically not preset.

Password Last Set: The last time the account’s password was modified. For example, after manually resetting a computer account's password or automatically resetting it (for computer objects, passwords are reset every 30 days by default).

Account Expires: The date the account will expire. This attribute is optional for computer objects and is typically not preset.

Primary Group ID: The Relative Identifier (RID) of a computer object's primary group.

AllowedToDelegateTo: The list of Service Principal Names (SPNs) to which this account can present delegated credentials.

Old UAC Value: This specifies the flags that control password, lockout, disable/enable, script, etc. for the computer account. It contains the previous value of the computer object's userAccountControl attribute.

New UAC Value: If the value of userAccountControl attribute of the computer object was changed, you will see the new value here.

User Account Control: The list of changes in the userAccountControl attribute.

User Parameters: If you change any setting using Active Directory Users and Computers management console in the Dial-in tab of a user account's properties, you will see here.

SID History: This contains the previous SIDs used for the object if the object was moved from another domain.
Note: Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID.

Logon Hours:The hours during which the account is allowed to log on to the domain. This attribute is optional for computer objects and is typically not preset.

DNS Host Name: The name of the computer account as registered in DNS.

Service Principal Names:The list of SPNs registered for the computer account. If the value of the computer object's servicePrincipalName attribute was changed, you will see the new value here.

Privileges: The list of user privileges used during the operation.

Monitoring event ID 4742.

  • Monitor event ID 4742 when Computer Account That Was Changed/Security ID corresponds to high-value accounts, including database servers, domain controllers, and administration workstations. To monitor your AD environment for privilege abuse.
  • Monitor changes to AllowedToDelegateTo to identify any change to the list of services that the account delegates authority to. This way avoids unauthorized access to applications and thereby reduces the attack surface.
  • Monitor frequent changes to pwdLastSet—the default setting is once a month for computer accounts. Frequent changes may indicate an anomaly or attack.
  • If you set the SMARTCARD_REQUIRED flag in userAccountControl for the computer account, then the sAMAccountType of the computer account will be changed to NORMAL_USER_ACCOUNT (i.e. the computer account will "become” a user account and you will get “4738: A user account was changed” instead of 4742 for this computer account). Attackers can exploit this to fly under the radar even if you have alerting set up for computer accounts within your network. The actions that this account performs also won't show up in the user account records, as generally most tools omit fetching change events for subject/account names ending with $.
  • It is strongly recommended that you avoid changing any user-related settings manually for computer objects, and monitor userAccountControl for every change.

The need for an auditing solution.

Auditing solutions like ADAudit Plus offer real-time monitoring, user and entity behavior analytics, and reports; together these features help secure your AD environment.

Real-time monitoring around the clock.

Although you can attach a task to the security log and ask Windows to send you an email, you will only get an email whenever that particular event ID is generated. Windows also lacks the ability to apply more granular filters that are required to meet security recommendations.

For example, Windows can send you an email every time event ID 4742 is generated, but it can't tell the difference between regular and high-value accounts. Receiving alerts specifically for high-value accounts reduces the chance of missing out on critical notifications amongst a heap of false-positive alerts.

With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can receive alerts in real time via SMS, too.

User and entity behavior analytics (UEBA).

Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.

Compliance-ready reports.

Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR with out-of-the-box compliance reports.

True turnkey: it doesn't get simpler than this.

Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.

Try it now for free!

 

The 8 Most
Critical Windows
Security Event IDs

Thank you for your interest!

Click this link to access the guide.

  •  
  • By clicking 'Download free guide' you agree to processing of personal data according to the Privacy Policy.
 
 
 
 

ADAudit Plus Trusted By