Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

ADAudit Plus » Study » Event ID 4738

Windows Event ID 4738 - A user account was changed

Introduction

Event 4738 is generated every time a user object is changed.

At times, this event may not show any changes—that is, all Changed Attributes appear as “-.“ This usually happens when a change is made to an attribute that is not listed in the event. In this case, there's no way to determine which attribute was changed. For example, if the discretionary access control list (DACL) is changed, event 4738 is generated, but all attributes will be “-.“

Description of the event fields.

Figure 1. Event ID 4738 — General tab under Event Properties.

Event ID 4738 — General tab under Event Properties.

Figure 2. Event ID 4738 — Details tab under Event Properties.

Event ID 4738 — Details tab under Event Properties.

user-management-reports

Security ID: The SID of the account that made an attempt to change the Target Account.

Account Name: The name of the account that made an attempt to change the Target Account.

Account Domain: The Subject's domain or computer name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
For well-known security principals this field is "NT AUTHORITY," and for local user accounts this field will contain the computer name that this account belongs to.

Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4624).

Security ID: The SID of the account that was modified.

Account Name: The name of the account that was modified.

Account Domain: The Target Account's domain or computer name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
For well-known security principals this field is "NT AUTHORITY," and for local user accounts this field will contain the computer name that this account belongs to.

SAM Account Name: The pre-Windows 2000 logon name.

Display Name: This is usually the combination of the user's first name, middle initial, and last name.

User Principal Name: The internet-style login name for the account, based on the Internet standard RFC 822. By convention, this should map to the account's email name.

Home Directory: The user's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a Universal Naming Convention (UNC) path, and the path must be a network UNC of the form \\Server\Share\Directory.

Home Drive: This attribute specifies the drive letter to which to map the UNC path specified by the account's homeDirectory attribute.

Script Path: This attribute specifies the path of the account’s logon script.

Profile Path: This attribute specifies a path to the account's profile.

User Workstations: This attribute contains the list of NetBIOS or DNS names of the computers from which the user can log on. Each computer name is separated by a comma.

Password Last Set: This attribute specifies the last time the account’s password was modified.

Account Expires: The date when the account expires.

Primary Group ID: The Relative Identifier (RID) of a user object's primary group.

AllowedToDelegateTo: The list of Service Principal Names (SPNs) to which this account can present delegated credentials.

Old UAC Value: This specifies the flags that control password, lockout, disable/enable, script, and other behaviors for the user account. It contains the previous value of the user object's userAccountControl attribute.

New UAC Value: If the value of userAccountControl attribute of user object was changed, you will see the new value here.

User Account Control: The list of changes to the userAccountControl attribute.

User Parameters: If you change any setting using Active Directory Users and Computers management console in the Dial-in tab of a user account's properties, then you will see here.

SID History: This contains the previous SIDs used for the object if the object was moved from another domain.
Note: Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID.

Logon Hours: The hours that the account is allowed to log on to the domain.

Privileges: The list of user privileges which were used during the operation.

Reasons to monitor event ID 4738.

  • Monitor event ID 4738 for accounts that have Target Account/Security ID corresponding to high-value accounts, including administrators, built-in local administrators, domain administrators, and service accounts.
  • Monitor changes to the AllowedToDelegateTo attribute to identify any change to the list of services that the user delegates authority to.
  • Track changes to the Account Expires attribute for temporary accounts that could be exploited by attackers.
  • Monitor changes to the User Workstations attribute for all accounts to prevent access to unauthorized workstations.
  • Track changes to the Logon Hours attribute for accounts that should strictly be used within a given timeframe. An alerting system can notify you about the change in the event of a violation.
  • Monitor the Password Not Required attribute, which can be changed manually using useraccountcontrol—this should normally be disabled for all user accounts.
  • Monitor the Use DES Key Only attribute, which can be changed manually using useraccountcontrol—this should normally be disabled for all user accounts because it weakens security for Kerberos.
  • Don't Require Preauth should always be disabled for all user accounts. Monitor cases where this setting is enabled.

The need for an auditing solution.

Auditing solutions like ADAudit Plus offer real-time monitoring, user and entity behavior analytics, and reports; together these features help secure your AD environment.

Real-time monitoring around the clock.

Although you can attach a task to the security log and ask Windows to send you an email, you will only get an email whenever that particular event ID is generated. Windows also lacks the ability to apply more granular filters that are required to meet security recommendations.

For example, Windows can send you an email every time event 4738 is generated, but it can't tell the difference between regular and high-value accounts. Recieving alerts specifically for high-value accounts reduces the chance of missing out on critical notifications amongst a heap of false-positive alerts.

With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can receive alerts in real time via SMS, too.

User and entity behavior analytics (UEBA).

Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.

Compliance-ready reports.

Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR with out-of-the-box compliance reports.

True turnkey: it doesn't get simpler than this.

Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.

Try it now for free!

 

The 8 Most
Critical Windows
Security Event IDs

Thank you for your interest!

Click this link to access the guide.

  •  
  • By clicking 'Download free guide' you agree to processing of personal data according to the Privacy Policy.
 
 
 
 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link