ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with Event ID 4738 user account modification events on a SOC monitoring dashboard
Event ID 4738InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4738 – Microsoft-Windows-Security-Auditing: User Account Changed

Event ID 4738 fires when a user account is modified in Active Directory or local SAM database. Critical for security auditing and tracking unauthorized account changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4738Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4738 represents one of the most important security audit events in Windows environments. When any modification occurs to a user account, whether in Active Directory or the local Security Accounts Manager (SAM) database, Windows generates this event to maintain an audit trail of account changes.

The event captures comprehensive details including the security identifier (SID) of both the account being modified and the account performing the modification. It records specific attributes that changed, their old and new values, and the workstation from which the change originated. This granular logging makes 4738 invaluable for forensic investigations and compliance reporting.

In Active Directory environments, this event fires on domain controllers when administrators modify user properties through tools like Active Directory Users and Computers, PowerShell cmdlets, or automated scripts. For local accounts, the event generates on the specific machine where the account resides. The event structure includes fields for account domain, account name, caller information, and detailed change descriptions.

Modern Windows versions in 2026 have enhanced this event with additional context fields and improved correlation capabilities. Security Information and Event Management (SIEM) systems commonly monitor 4738 events to detect suspicious account modifications, especially changes to privileged accounts or modifications occurring outside normal business hours.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator resetting user passwords through Active Directory Users and Computers
  • PowerShell scripts modifying user attributes using Set-ADUser cmdlets
  • Automated identity management systems updating user properties
  • Group membership changes adding or removing users from security groups
  • Account status modifications such as enabling or disabling accounts
  • User profile path or home directory changes
  • Logon hours or workstation restrictions being modified
  • Password policy exceptions or account expiration date changes
  • Service account credential updates or configuration changes
  • Bulk user import operations modifying existing accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the 4738 event to understand what changed and who initiated the modification.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4738 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4738 in the Event IDs field and click OK
  5. Double-click on a 4738 event to view detailed information including:
    • Subject: Account that made the change
    • Target Account: Account that was modified
    • Changed Attributes: Specific fields that were altered
    • Additional Information: Workstation and process details
Pro tip: Look for the 'Changed Attributes' field which shows exactly what was modified, including old and new values for critical attributes.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze 4738 events across multiple systems or time ranges.

  1. Open PowerShell as Administrator
  2. Query recent 4738 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Search for specific user account modifications:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738; StartTime=(Get-Date).AddDays(-7)}
$Events | Where-Object {$_.Message -like '*username*'} | Select-Object TimeCreated, Message
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data[1].'#text'
        TargetUserName = $Event.Event.EventData.Data[5].'#text'
        TargetDomain = $Event.Event.Event.EventData.Data[6].'#text'
        WorkstationName = $Event.Event.EventData.Data[11].'#text'
    }
}
Pro tip: Use the -Oldest parameter with Get-WinEvent to retrieve events in chronological order for timeline analysis.
03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture all necessary account modification events.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and configure these policies:
    • Audit User Account Management: Set to Success and Failure
    • Audit Security Group Management: Set to Success and Failure
    • Audit Distribution Group Management: Set to Success
  4. Apply the policy using command line:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
  5. Verify current audit settings:
    auditpol /get /subcategory:"User Account Management"
  6. Force Group Policy update if using domain policies:
    gpupdate /force
Warning: Enabling extensive audit logging can generate significant log volume. Monitor disk space and configure log retention policies appropriately.
04

Investigate Suspicious Account Changes

Perform detailed forensic analysis when 4738 events indicate potential security incidents.

  1. Identify the source of suspicious changes by examining the Subject fields in the event:
    $SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738; StartTime=(Get-Date).AddHours(-24)}
$SuspiciousEvents | Where-Object {$_.Message -match 'Administrator|SYSTEM'} | ForEach-Object {
    $Event = [xml]$_.ToXml()
    Write-Host "Time: $($_.TimeCreated)"
    Write-Host "Subject: $($Event.Event.EventData.Data[1].'#text')"
    Write-Host "Target: $($Event.Event.EventData.Data[5].'#text')"
    Write-Host "Workstation: $($Event.Event.EventData.Data[11].'#text')"
    Write-Host "---"
}
  2. Cross-reference with logon events (4624) to verify legitimate access:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like '*suspicious_username*'}
  3. Check for related privilege escalation events (4672):
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672; StartTime=(Get-Date).AddHours(-2)} | Format-Table TimeCreated, Message -Wrap
  4. Examine process creation events (4688) if available:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like '*net.exe*' -or $_.Message -like '*dsmod*'}
  5. Document findings and correlate with other security events for comprehensive incident analysis
Pro tip: Look for patterns such as multiple account modifications from the same workstation or changes occurring outside business hours.
05

Implement Automated Monitoring and Alerting

Set up proactive monitoring to detect and respond to critical account modifications in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Monitor4738.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
while ($true) {
    $NewEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738; StartTime=$LastCheck} -ErrorAction SilentlyContinue
    
    foreach ($Event in $NewEvents) {
        $EventXML = [xml]$Event.ToXml()
        $TargetUser = $EventXML.Event.EventData.Data[5].'#text'
        $SubjectUser = $EventXML.Event.EventData.Data[1].'#text'
        
        # Alert on privileged account changes
        if ($TargetUser -match 'admin|service|sql') {
            Write-Host "ALERT: Privileged account $TargetUser modified by $SubjectUser at $($Event.TimeCreated)" -ForegroundColor Red
            # Add email notification or SIEM integration here
        }
    }
    
    $LastCheck = Get-Date
    Start-Sleep -Seconds 300
}
  2. Configure Windows Event Forwarding for centralized collection:
    # On collector server
wecutil qc /q
wecutil cs subscription.xml
  3. Create a custom Event Viewer view for 4738 monitoring:
    • Open Event ViewerCustom Views
    • Right-click and select Create Custom View
    • Set Event IDs to 4738 and configure additional filters
    • Save as "User Account Changes Monitor"
  4. Set up Task Scheduler for automated response:
    $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\Monitor4738.ps1'
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserID 'SYSTEM' -LogonType ServiceAccount
Register-ScheduledTask -TaskName 'Monitor4738Events' -Action $Action -Trigger $Trigger -Principal $Principal
Warning: Automated monitoring scripts should include proper error handling and logging to prevent service disruption.

Overview

Event ID 4738 is a security audit event that fires whenever a user account is modified in Windows. This event captures changes to user properties including password resets, account status modifications, group membership changes, and attribute updates. The event generates on domain controllers for Active Directory accounts and on local machines for local user accounts.

This event is essential for security monitoring as it provides detailed information about who made changes, what was changed, and when the modification occurred. Security teams rely on 4738 events to detect unauthorized account modifications, track administrative activities, and maintain compliance with audit requirements.

The event appears in the Security log and requires audit policy configuration to generate. By default, Windows Server 2022 and later versions have enhanced logging capabilities that capture more granular details about account changes. Understanding this event is crucial for maintaining proper security posture in enterprise environments.

Frequently Asked Questions

What does Event ID 4738 mean and why is it important?+
Event ID 4738 indicates that a user account has been modified in Windows. This event is crucial for security monitoring because it provides an audit trail of all account changes, including password resets, group membership modifications, and attribute updates. Security teams use this event to detect unauthorized account modifications, track administrative activities, and maintain compliance with audit requirements. The event captures detailed information about who made the change, what was changed, and when it occurred.
How can I determine what specific changes were made to a user account in Event ID 4738?+
The specific changes are documented in the 'Changed Attributes' field within the event details. To view this information, open the event in Event Viewer and look for the 'Changed Attributes' section which shows the attribute name, old value, and new value for each modified field. Common changes include password resets (showing as password last set time), group membership modifications, account status changes, and user attribute updates like display name or email address.
Why am I not seeing Event ID 4738 in my Security log?+
Event ID 4738 requires proper audit policy configuration to generate. You need to enable 'Audit User Account Management' in the Advanced Audit Policy Configuration. Use the command 'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable' to enable this auditing. Additionally, ensure you have sufficient privileges to view the Security log and that the events haven't been cleared or aged out due to log retention policies.
Can Event ID 4738 help detect security breaches or unauthorized access?+
Yes, Event ID 4738 is valuable for detecting security incidents. Look for suspicious patterns such as account modifications occurring outside business hours, changes made by unexpected user accounts, or bulk modifications to multiple accounts. Cross-reference 4738 events with logon events (4624) and privilege use events (4672) to build a complete picture of potentially malicious activity. Automated monitoring can alert on modifications to privileged accounts or unusual change patterns.
How do I monitor Event ID 4738 across multiple domain controllers in my environment?+
For enterprise environments, implement Windows Event Forwarding (WEF) to centralize 4738 events from all domain controllers to a collector server. Configure subscriptions using 'wecutil' commands and create custom XPath queries to filter relevant events. Alternatively, use PowerShell remoting with 'Invoke-Command' to query multiple servers simultaneously, or deploy a SIEM solution that can collect and correlate 4738 events across your entire Active Directory infrastructure for comprehensive monitoring.
Documentation

References (1)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4738 and related account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4738#security-auditing#user-account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...