ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying user account change audit logs in a professional monitoring environment
Event ID 4739InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4739 – Microsoft-Windows-Security-Auditing: User Account Changed

Event ID 4739 logs when a user account is modified in Active Directory or local security database, capturing changes to account properties, group memberships, and security settings for audit compliance.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4739Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4739 represents one of the most important security audit events in Windows environments. Generated by the Microsoft-Windows-Security-Auditing provider, this event creates a detailed audit trail whenever user account properties are modified through any mechanism - Active Directory Users and Computers, PowerShell cmdlets, NET commands, or programmatic APIs.

The event structure includes comprehensive metadata: the security identifier (SID) of both the account being modified and the account performing the modification, timestamp information, workstation details, and most importantly, a detailed list of changed attributes. For Active Directory environments, this includes LDAP attribute names and their before/after values where applicable.

Windows generates this event on domain controllers for AD account changes and on local systems for SAM database modifications. The event fires after successful account modifications only - failed attempts generate different event IDs. This behavior ensures the audit log reflects actual security state changes rather than attempted changes.

In 2026 environments with Windows Server 2025 domain controllers, Event ID 4739 includes enhanced attribute tracking for cloud-hybrid scenarios and improved correlation with Azure AD Connect synchronization events. The event also captures modifications made through Windows Admin Center and modern management tools.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator modifying user account properties through Active Directory Users and Computers
  • PowerShell cmdlets like Set-ADUser, Set-LocalUser changing account attributes
  • Group Policy applying account policy changes to user objects
  • Automated provisioning systems updating user account information
  • Password resets performed by help desk or self-service portals
  • Account flag changes such as enabling/disabling accounts or setting password never expires
  • Group membership modifications adding or removing users from security groups
  • Bulk user import operations updating existing account properties
  • Third-party identity management solutions synchronizing account changes
  • Exchange Server modifying mail-enabled user attributes during mailbox operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to Windows LogsSecurity to examine Event ID 4739 details.

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Expand Windows Logs and click Security
  3. Right-click the Security log and select Filter Current Log
  4. Enter 4739 in the Event IDs field and click OK
  5. Double-click any Event ID 4739 entry to view detailed information
  6. Review the General tab for account names, timestamps, and change details
  7. Check the Details tab for raw XML data including specific attribute changes

Key fields to examine include Subject (who made the change), Target Account (account being modified), and Changed Attributes listing specific properties that were altered.

02

Query Events with PowerShell

Use PowerShell to filter and analyze Event ID 4739 occurrences with specific criteria.

# Get recent user account change events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739} -MaxEvents 50 | 
    Select-Object TimeCreated, Id, LevelDisplayName, Message

# Filter events for specific user account
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739}
$Events | Where-Object {$_.Message -like '*john.doe*'} | 
    Format-Table TimeCreated, Message -Wrap

# Export events to CSV for analysis
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739} -MaxEvents 1000 | 
    Select-Object TimeCreated, Id, LevelDisplayName, 
    @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0]}}, 
    @{Name='Changes';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Changed Attributes:*'})[0]}} | 
    Export-Csv -Path "C:\Temp\UserAccountChanges.csv" -NoTypeInformation

This approach provides programmatic access to event data for automated analysis and reporting.

03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture comprehensive user account change events.

  1. Open Group Policy Management Console or run gpedit.msc for local policy
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and double-click Audit User Account Management
  4. Enable Configure the following audit events and check both Success and Failure
  5. Apply the policy and run gpupdate /force to refresh settings
# Verify current audit policy settings
auditpol /get /subcategory:"User Account Management"

# Enable user account management auditing via command line
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

# Check audit policy effectiveness
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739} -MaxEvents 1 | 
    Select-Object TimeCreated, Message

Proper audit configuration ensures all user account modifications generate Event ID 4739 entries for compliance and security monitoring.

04

Analyze Attribute Changes with Custom Scripts

Create PowerShell scripts to parse and analyze specific attribute changes from Event ID 4739 messages.

# Function to parse Event ID 4739 attribute changes
function Parse-UserAccountChanges {
    param([int]$Days = 7)
    
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4739
        StartTime=(Get-Date).AddDays(-$Days)
    }
    
    foreach ($Event in $Events) {
        $Message = $Event.Message
        $Lines = $Message -split '\r?\n'
        
        $AccountName = ($Lines | Where-Object {$_ -match 'Account Name:\s*(.+)'}) -replace '.*Account Name:\s*', ''
        $SubjectName = ($Lines | Where-Object {$_ -match 'Subject.*Account Name:\s*(.+)'}) -replace '.*Account Name:\s*', ''
        $ChangedAttribs = ($Lines | Where-Object {$_ -match 'Changed Attributes:'}) -replace '.*Changed Attributes:\s*', ''
        
        [PSCustomObject]@{
            TimeCreated = $Event.TimeCreated
            ModifiedAccount = $AccountName
            ModifiedBy = $SubjectName
            ChangedAttributes = $ChangedAttribs
            EventId = $Event.Id
        }
    }
}

# Run the analysis
$Changes = Parse-UserAccountChanges -Days 30
$Changes | Format-Table -AutoSize

# Group by modified account to see patterns
$Changes | Group-Object ModifiedAccount | 
    Select-Object Name, Count, @{Name='LastChange';Expression={($_.Group | Sort-Object TimeCreated -Descending)[0].TimeCreated}}

This method provides detailed analysis capabilities for forensic investigation and compliance reporting.

05

Implement SIEM Integration and Alerting

Configure Windows Event Forwarding and SIEM integration for centralized monitoring of user account changes.

  1. Configure Windows Event Forwarding on domain controllers and member servers
  2. Create custom event forwarding subscription for Event ID 4739
  3. Set up SIEM parsing rules for user account change events
# Configure WinRM for event forwarding (run on collector server)
winrm quickconfig
wecutil qc

# Create event subscription XML file
$SubscriptionXML = @'
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>UserAccountChanges</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward user account change events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4739]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
'@

# Save and create subscription
$SubscriptionXML | Out-File -FilePath "C:\Temp\UserAccountChanges.xml"
wecutil cs "C:\Temp\UserAccountChanges.xml"

# Verify subscription status
wecutil gs UserAccountChanges

Enterprise environments should implement centralized logging with automated alerting for suspicious user account modifications, especially privilege escalations or bulk changes.

Overview

Event ID 4739 fires whenever a user account undergoes modification in Windows security subsystem. This includes changes to account properties like display name, description, password policies, account flags, or group memberships. The event captures both Active Directory domain account changes and local user account modifications on standalone systems.

This security audit event is critical for compliance frameworks like SOX, HIPAA, and PCI-DSS that require detailed user account change tracking. Domain controllers generate this event for AD user modifications, while member servers and workstations log local account changes. The event provides granular details about what changed, who made the change, and when it occurred.

Security teams rely on Event ID 4739 to detect unauthorized account modifications, privilege escalations, and insider threats. The event appears in the Security log and requires audit policy configuration to capture properly. Modern SIEM solutions parse these events for automated alerting on suspicious account changes.

Frequently Asked Questions

What does Event ID 4739 mean and when does it occur?+
Event ID 4739 indicates that a user account has been modified in the Windows security database. This event fires whenever account properties change, including display name, description, password policies, account flags (like account disabled/enabled), group memberships, or any other user object attributes. It occurs on domain controllers for Active Directory account changes and on local systems for SAM database modifications. The event provides detailed audit information about what changed, who made the change, and when it occurred, making it essential for security compliance and forensic investigations.
How can I determine what specific attributes were changed in Event ID 4739?+
The Event ID 4739 message contains a 'Changed Attributes' field that lists the specific properties modified. In Event Viewer, double-click the event and review the General tab message or switch to the Details tab for XML format. For Active Directory changes, you'll see LDAP attribute names like 'displayName', 'description', 'userAccountControl', or 'memberOf'. Use PowerShell to parse these details programmatically: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739} | ForEach-Object {$_.Message -split '\n' | Where-Object {$_ -like '*Changed Attributes:*'}}. Some attributes may show before and after values, while others only indicate that a change occurred.
Why am I not seeing Event ID 4739 in my Security log?+
Event ID 4739 requires proper audit policy configuration to appear in the Security log. You must enable 'Audit User Account Management' under Advanced Audit Policy Configuration. Navigate to Group Policy → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit User Account Management, and enable both Success and Failure auditing. After applying the policy, run 'gpupdate /force' and verify with 'auditpol /get /subcategory:"User Account Management"'. If the policy is enabled but events still don't appear, check that user account modifications are actually occurring and that the Security log isn't full or being cleared automatically.
Can Event ID 4739 help detect unauthorized privilege escalations?+
Yes, Event ID 4739 is crucial for detecting privilege escalations and unauthorized account modifications. Monitor for changes to sensitive attributes like 'userAccountControl' (which controls account flags), 'memberOf' (group membership changes), or 'adminCount' (indicates privileged account status). Set up alerts for account modifications outside business hours, bulk changes to multiple accounts, or changes made by non-administrative users. Pay special attention to accounts being added to privileged groups like Domain Admins, Enterprise Admins, or local Administrators. Use SIEM solutions to correlate Event ID 4739 with other security events like logon events (4624) or privilege use events (4672) to build a complete picture of potential security incidents.
How do I export and analyze Event ID 4739 data for compliance reporting?+
Use PowerShell to export Event ID 4739 data to CSV format for compliance analysis. Run: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4739; StartTime=(Get-Date).AddDays(-30)} | Select-Object TimeCreated, @{Name='ModifiedAccount';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Target.*Account Name:*'})[0] -replace '.*Account Name:\s*', ''}}, @{Name='ModifiedBy';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject.*Account Name:*'})[0] -replace '.*Account Name:\s*', ''}}, @{Name='Changes';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Changed Attributes:*'})[0]}} | Export-Csv -Path 'UserAccountChanges.csv' -NoTypeInformation. For enterprise environments, implement Windows Event Forwarding to centralize these events and use SIEM solutions for automated compliance reporting with proper retention policies.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4739 and audit policy configuration requirements.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring advanced audit policies for user account management and other security events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4739#security-auditing#user-account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...