ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Active Directory computer account changes and audit logs
Event ID 4742InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4742 – Microsoft-Windows-Security-Auditing: Computer Account Changed

Event ID 4742 logs when a computer account is modified in Active Directory. This security audit event tracks changes to computer object attributes, group memberships, and account properties for compliance monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4742Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4742 represents a critical security audit event that tracks modifications to computer accounts within Active Directory environments. When any attribute of a computer object changes, Windows generates this event on the domain controller processing the modification. The event provides comprehensive details about the change, including the security identifier (SID) of the account making the modification, the target computer account, and specific attributes that were altered.

The event structure includes multiple fields that capture the modification context. The Subject fields identify who performed the change, including the account name, domain, logon ID, and SID. The Computer Account fields specify the target computer being modified, including its name, domain, and SID. The Changed Attributes section lists each modified attribute with both old and new values, providing a complete audit trail of the changes.

This event plays a crucial role in security monitoring and compliance frameworks. Organizations use 4742 events to detect unauthorized computer account modifications, track administrative activities, and maintain audit trails for regulatory compliance. The event helps identify potential security issues such as unauthorized privilege escalations, suspicious account modifications, or automated attacks targeting computer accounts. Security teams often correlate these events with other audit logs to build comprehensive security timelines and investigate potential breaches.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator modifying computer account properties through Active Directory Users and Computers
  • PowerShell scripts using Set-ADComputer or other Active Directory cmdlets to update computer attributes
  • Automated systems or Group Policy processing changing computer account settings
  • Computer account password resets performed by the computer or administrators
  • Changes to computer group memberships through security group modifications
  • Service account modifications affecting computer object attributes
  • Third-party identity management tools updating computer account properties
  • Domain controller replication synchronizing computer account changes
  • Certificate enrollment processes modifying computer account attributes
  • Security descriptor changes affecting computer account permissions
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand what changed and who initiated the modification.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4742 using the filter option or search functionality
  4. Double-click the event to view detailed information including:
    • Subject fields showing who made the change
    • Computer Account fields identifying the target computer
    • Changed Attributes section listing modified properties
  5. Note the timestamp, source workstation, and logon type for correlation

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
Pro tip: The Changed Attributes section shows both old and new values, making it easy to identify exactly what was modified on the computer account.
02

Analyze Computer Account Changes with PowerShell

Use PowerShell to extract and analyze computer account modification patterns across your domain controllers.

  1. Query events from multiple domain controllers to get a complete picture:
$DCs = Get-ADDomainController -Filter *
$Events = @()
foreach ($DC in $DCs) {
    $Events += Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4742; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
}
$Events | Select-Object TimeCreated, MachineName, @{Name='ComputerAccount';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[1] -replace '.*Account Name:\s*',''}}
  1. Filter events by specific computer accounts or time ranges:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like '*COMPUTER01*'} | Format-List TimeCreated, Message
  1. Export events for further analysis or compliance reporting:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\ComputerAccountChanges.csv" -NoTypeInformation
Warning: Large environments may generate thousands of 4742 events daily. Use appropriate time filters to avoid performance issues.
03

Correlate with Active Directory Changes

Cross-reference Event ID 4742 with Active Directory replication events and other security logs to understand the full context of computer account modifications.

  1. Check for related events that might indicate the source of changes:
# Look for related logon events from the same user
$UserSID = "S-1-5-21-..."
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4648; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like "*$UserSID*"}
  1. Verify computer account status in Active Directory:
Get-ADComputer -Identity "COMPUTER01" -Properties * | Select-Object Name, Enabled, LastLogonDate, PasswordLastSet, MemberOf
  1. Check for Group Policy processing that might trigger computer account changes:
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} -MaxEvents 20 | Where-Object {$_.Message -like '*COMPUTER01*'}
  1. Review Directory Service event logs for replication issues:
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; Id=1644,1645} -MaxEvents 10
Pro tip: Computer account password changes typically occur every 30 days by default and generate 4742 events. This is normal behavior unless the frequency is unusual.
04

Implement Advanced Monitoring and Alerting

Set up comprehensive monitoring for computer account changes to detect unauthorized modifications and maintain security compliance.

  1. Create a custom Event Viewer view for computer account monitoring:
  2. Open Event ViewerCustom ViewsCreate Custom View
  3. Configure filter criteria:
    • Event logs: Security
    • Event IDs: 4742
    • Keywords: Audit Success
  4. Save as "Computer Account Changes"
  1. Set up PowerShell-based monitoring script:
# Monitor for suspicious computer account changes
$LastCheck = (Get-Date).AddMinutes(-15)
$SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742; StartTime=$LastCheck} | Where-Object {
    $_.Message -notlike '*SYSTEM*' -and 
    $_.Message -like '*Account Name:*' -and
    ($_.Message -like '*Enabled*' -or $_.Message -like '*Group*')
}

if ($SuspiciousEvents) {
    $SuspiciousEvents | ForEach-Object {
        Send-MailMessage -To "admin@company.com" -From "monitoring@company.com" -Subject "Suspicious Computer Account Change" -Body $_.Message -SmtpServer "mail.company.com"
    }
}
  1. Configure Windows Event Forwarding for centralized monitoring:
  2. On collector server, run: wecutil qc
  3. Create subscription configuration file:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ComputerAccountChanges</SubscriptionId>
    <Query>
        <Select Path="Security">*[System[EventID=4742]]</Select>
    </Query>
</Subscription>
  1. Import the subscription: wecutil cs subscription.xml
Warning: Ensure proper firewall rules and WinRM configuration are in place before implementing Event Forwarding across domain controllers.
05

Forensic Analysis and Compliance Reporting

Perform detailed forensic analysis of computer account changes for security investigations and compliance auditing.

  1. Extract detailed event information for forensic analysis:
# Create detailed forensic report
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742; StartTime=(Get-Date).AddDays(-90)}
$Report = @()

foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = @{}
    $XML.Event.EventData.Data | ForEach-Object {
        $EventData[$_.Name] = $_.'#text'
    }
    
    $Report += [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserName = $EventData.SubjectUserName
        SubjectDomainName = $EventData.SubjectDomainName
        TargetUserName = $EventData.TargetUserName
        TargetDomainName = $EventData.TargetDomainName
        ChangedAttributes = ($XML.Event.EventData.Data | Where-Object {$_.Name -like '*Changed*'} | ForEach-Object {$_.'#text'}) -join '; '
    }
}

$Report | Export-Csv -Path "C:\Forensics\ComputerAccountChanges_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  1. Analyze patterns and anomalies:
# Identify unusual modification patterns
$Report | Group-Object SubjectUserName | Sort-Object Count -Descending | Select-Object Name, Count
$Report | Group-Object TargetUserName | Sort-Object Count -Descending | Select-Object Name, Count
  1. Generate compliance reports with specific timeframes:
# Monthly compliance report
$StartDate = (Get-Date).AddDays(-30)
$ComplianceReport = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4742; StartTime=$StartDate} | 
    Select-Object TimeCreated, @{Name='ModifiedBy';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*'} | Select-Object -Skip 1 -First 1) -replace '.*Account Name:\s*',''}}, 
    @{Name='ComputerModified';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Computer Account:*'} | Select-Object -Skip 1 -First 1) -replace '.*Account Name:\s*',''}}

$ComplianceReport | Export-Csv -Path "C:\Compliance\Monthly_Computer_Changes_$(Get-Date -Format 'yyyy-MM').csv" -NoTypeInformation
Pro tip: Store forensic data in a secure, tamper-evident location and maintain chain of custody documentation for legal compliance requirements.

Overview

Event ID 4742 fires whenever a computer account undergoes modification in Active Directory. This security audit event captures changes to computer object attributes, including account properties, group memberships, password resets, and security descriptor modifications. The event generates on domain controllers when administrators or automated processes modify computer accounts through Active Directory Users and Computers, PowerShell cmdlets, or programmatic interfaces.

This event appears in the Security log on domain controllers and provides detailed information about what changed, who made the change, and when it occurred. The event includes both the old and new values for modified attributes, making it valuable for security monitoring and compliance auditing. Organizations typically see this event during routine computer management tasks, automated account maintenance, or security-related modifications.

The event fires for various computer account changes including enabling/disabling accounts, modifying group memberships, updating service principal names, changing account flags, and resetting computer passwords. Each modification generates a separate 4742 event with specific attribute details in the event data.

Frequently Asked Questions

What does Event ID 4742 indicate in Windows security logs?+
Event ID 4742 indicates that a computer account has been modified in Active Directory. This security audit event logs changes to computer object attributes, including account properties, group memberships, password resets, and security settings. The event provides detailed information about what changed, who made the change, and when it occurred, making it essential for security monitoring and compliance auditing in domain environments.
How can I determine what specific changes were made to a computer account?+
The Changed Attributes section in Event ID 4742 shows exactly what was modified, including both old and new values. You can view this information in Event Viewer by double-clicking the event, or extract it programmatically using PowerShell. The event XML contains detailed attribute information that can be parsed to identify specific changes like group membership modifications, account flag changes, or password resets.
Is Event ID 4742 generated for normal computer account maintenance?+
Yes, Event ID 4742 is generated during normal computer account maintenance activities. Common legitimate triggers include automatic computer password changes (typically every 30 days), Group Policy processing that modifies computer settings, administrative updates to computer properties, and certificate enrollment processes. However, unusual frequency or modifications by unexpected accounts may indicate security concerns that require investigation.
How can I filter Event ID 4742 to focus on security-relevant changes?+
Filter Event ID 4742 by focusing on specific attributes and actors. Look for changes made by non-system accounts, modifications to security-sensitive attributes like group memberships or account flags, and changes occurring outside normal business hours. Use PowerShell filtering to exclude routine password changes and focus on administrative modifications. Additionally, correlate with other security events like unusual logons or privilege escalations to identify potentially malicious activity.
What should I do if I see unexpected Event ID 4742 entries?+
Investigate unexpected Event ID 4742 entries by first identifying who made the change and from which workstation. Verify if the modification was authorized by checking with the responsible administrator or system owner. Review the specific attributes that were changed to assess the security impact. Correlate with other security events around the same timeframe to build a complete picture. If the change appears unauthorized, consider it a potential security incident and follow your organization's incident response procedures, including potentially disabling the affected computer account until investigation is complete.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4742 and related computer account monitoring events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Security Best PracticesMicrosoft's official recommendations for securing Active Directory environments and monitoring account changes.https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4742#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...