Direct Inward Dialing: +1 408 916 9892
There may be times when event ID 4742 doesn’t show any changes, i.e. all Changed Attributes appear as “-”. This usually happens when a change is made to an attribute that is not listed in the event, like the discretionary access control list (DACL). In this case, there is no way to determine which attribute was changed.
Figure 1. Event ID 4742 — General tab under Event Properties.
Figure 2. Event ID 4742 — Details tab under Event Properties.
Security ID: The SID of the account that made an attempt to change a computer account.
Account Name: The name of the account that made an attempt to change a computer account.
Account Domain: The Subject's domain name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4624).
Security ID: The SID of the computer account that was modified.
Account Name: The name of the account that was modified.
Account Domain: The domain name of the computer account that was changed. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
SAM Account Name: The pre-Windows 2000 logon name.
Display Name: Usually a combination of the user's first name, middle initial, and last name. This attribute is optional for computer objects and is typically not preset.
User Principal Name: The internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email address.This attribute is optional for computer objects and is typically not preset.
Home Directory: The user's home directory. This attribute is optional for computer objects and is typically not preset.
If the homeDrive attribute is set and specifies a drive letter, the homeDirectory should be a Universal Naming Convention (UNC) path and the path must be a network UNC of the form \\Server\Share\Directory.
Home Drive: The drive letter to which to map the UNC path specified by the account's homeDirectory attribute. This attribute is optional for computer objects and is typically not preset.
Script Path: The path of the account’s logon script. This attribute is optional for computer objects and is typically not preset.
Profile Path: A path to the account's profile. This attribute is optional for computer objects and is typically not preset.
User Workstations:The list of NetBIOS or DNS names of the computers from which the user can log on. Each computer name is separated by a comma. This attribute is optional for computer objects and is typically not preset.
Password Last Set: The last time the account’s password was modified. For example, after manually resetting a computer account's password or automatically resetting it (for computer objects, passwords are reset every 30 days by default).
Account Expires: The date the account will expire. This attribute is optional for computer objects and is typically not preset.
Primary Group ID: The Relative Identifier (RID) of a computer object's primary group.
AllowedToDelegateTo: The list of Service Principal Names (SPNs) to which this account can present delegated credentials.
Old UAC Value: This specifies the flags that control password, lockout, disable/enable, script, etc. for the computer account. It contains the previous value of the computer object's userAccountControl attribute.
New UAC Value: If the value of userAccountControl attribute of the computer object was changed, you will see the new value here.
User Account Control: The list of changes in the userAccountControl attribute.
User Parameters: If you change any setting using Active Directory Users and Computers management console in the Dial-in tab of a user account's properties, you will see
SID History: This contains the previous SIDs used for the object if the object was moved from another domain.
Note: Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID.
Logon Hours:The hours during which the account is allowed to log on to the domain. This attribute is optional for computer objects and is typically not preset.
DNS Host Name: The name of the computer account as registered in DNS.
Service Principal Names:The list of SPNs registered for the computer account. If the value of the computer object's servicePrincipalName attribute was changed, you will see the new value here.
Privileges: The list of user privileges used during the operation.
Auditing solutions like ADAudit Plus offer real-time monitoring, user and entity behavior analytics, and reports; together these features help secure your AD environment.
Although you can attach a task to the security log and ask Windows to send you an email, you will only get an email whenever that particular event ID is generated. Windows also lacks the ability to apply more granular filters that are required to meet security recommendations.
With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can receive alerts in real time via SMS, too.
Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.
Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR with out-of-the-box compliance reports.
Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.
Click this link to access the guide.
