ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Active Directory computer account management events
Event ID 4747InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4747 – Security: Computer Account Password Changed

Event ID 4747 indicates a computer account password has been changed in Active Directory. This security audit event fires when domain controllers update machine account passwords during normal operations or administrative actions.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4747Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4747 is generated by the Microsoft-Windows-Security-Auditing provider when a computer account password is successfully changed in Active Directory. This event is part of the Object Access audit category and requires appropriate audit policies to be enabled on domain controllers.

The event provides comprehensive details about the password change operation, including the Security ID (SID) and name of the computer account that was modified, the account that initiated the change, and the logon session information. The event also includes the domain name and additional security context that helps administrators understand the scope and legitimacy of the change.

Computer accounts in Active Directory domains automatically initiate password changes every 30 days as part of the Kerberos security protocol. This automatic process helps maintain security by regularly rotating machine account credentials. However, password changes can also occur during administrative operations such as resetting computer accounts, rejoining machines to the domain, or during certain Group Policy operations.

The event is crucial for security monitoring because unauthorized computer account password changes could indicate compromise attempts, privilege escalation, or administrative errors. Security teams often monitor this event alongside related events like 4742 (computer account changed) and 4743 (computer account deleted) to maintain comprehensive visibility into computer account management activities within their Active Directory infrastructure.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Analysis

Possible Causes

  • Automatic computer account password rotation (default 30-day cycle)
  • Administrative reset of computer account password using Active Directory Users and Computers
  • Machine rejoining the domain after being removed or experiencing trust issues
  • PowerShell commands like Reset-ComputerMachinePassword or Set-ADAccountPassword
  • Group Policy operations that trigger computer account updates
  • Domain controller replication events involving computer account changes
  • Third-party Active Directory management tools performing bulk operations
  • Malicious activities attempting to compromise computer accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4747 occurrence to understand the context and legitimacy of the password change.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4747 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: Account that initiated the password change
    • Target Account: Computer account that was modified
    • Logon ID: Session identifier for correlation
    • Process Information: Application or service that performed the change
  6. Check the timestamp to correlate with known administrative activities or automatic processes
  7. Verify if the initiating account has appropriate permissions for computer account management
Pro tip: Look for patterns in the Process Name field - legitimate automatic password changes typically show 'lsass.exe' while administrative tools show different process names.
02

Query Events Using PowerShell

Use PowerShell to efficiently query and analyze Event ID 4747 occurrences across multiple domain controllers for comprehensive monitoring.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent Event ID 4747 occurrences:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4747} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events for specific computer accounts:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4747} | Where-Object {$_.Message -like '*COMPUTERNAME*'} | Format-Table TimeCreated, Message -Wrap
  4. Query events from multiple domain controllers:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4747; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
}
  5. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4747; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\Event4747_Analysis.csv" -NoTypeInformation
Warning: Querying large Security logs can impact domain controller performance. Use time filters and limit results appropriately.
03

Verify Computer Account Status and Trust

Investigate the affected computer account's current status and domain trust relationship to determine if the password change was legitimate and successful.

  1. Open Active Directory Users and Computers on a domain controller
  2. Navigate to the Computers container or appropriate OU
  3. Locate the computer account mentioned in the Event ID 4747
  4. Right-click the computer account and select Properties
  5. Check the Account tab for:
    • Account options and restrictions
    • Last logon timestamp
    • Account expiration settings
  6. Verify trust relationship using PowerShell:
    Test-ComputerSecureChannel -Server DC01.domain.com -Verbose
  7. Check computer account password age:
    Get-ADComputer -Identity "COMPUTERNAME" -Properties PasswordLastSet | Select-Object Name, PasswordLastSet
  8. If trust issues exist, reset the computer account:
    Reset-ComputerMachinePassword -Server DC01.domain.com -Credential (Get-Credential)
Pro tip: Computer accounts should have their PasswordLastSet within the last 30-45 days for healthy domain relationships.
04

Analyze Security Audit Policies and Correlation

Review audit policy configuration and correlate Event ID 4747 with related security events to understand the complete context of computer account changes.

  1. Verify audit policy settings on domain controllers:
    auditpol /get /subcategory:"Computer Account Management"
  2. Check Group Policy audit configuration:
    • Open Group Policy Management Console
    • Navigate to Default Domain Controllers Policy
    • Go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Verify Account ManagementAudit Computer Account Management is enabled
  3. Query related events for correlation:
    # Check for related computer account events
$Events = @(4741, 4742, 4743, 4747)
foreach ($EventID in $Events) {
    Write-Host "Event ID $EventID occurrences:"
    (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$EventID; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue).Count
}
  4. Create a comprehensive audit report:
    $StartTime = (Get-Date).AddDays(-7)
$ComputerEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4741,4742,4743,4747); StartTime=$StartTime}
$ComputerEvents | Group-Object Id | Select-Object Name, Count | Sort-Object Count -Descending
05

Implement Advanced Monitoring and Alerting

Set up comprehensive monitoring and alerting for Event ID 4747 to proactively detect unusual computer account password change patterns and potential security issues.

  1. Create a custom Event Viewer view for computer account monitoring:
    • Open Event Viewer and right-click Custom Views
    • Select Create Custom View
    • Set Event level to Information and Event IDs to 4741,4742,4743,4747
    • Name the view "Computer Account Management"
  2. Configure Windows Event Forwarding for centralized monitoring:
    # On collector server
wecutil qc
# Create subscription
wecutil cs ComputerAccountEvents.xml
  3. Set up PowerShell-based monitoring script:
    # Monitor for unusual password change frequency
$Threshold = 5 # More than 5 changes per hour
$RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4747; StartTime=(Get-Date).AddHours(-1)}
if ($RecentEvents.Count -gt $Threshold) {
    Send-MailMessage -To "admin@company.com" -Subject "High Computer Account Password Changes" -Body "Detected $($RecentEvents.Count) password changes in the last hour"
}
  4. Configure registry settings for enhanced logging:
    # Enable detailed computer account logging
Set-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize" -Value 1073741824
  5. Create scheduled task for regular monitoring:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorEvent4747.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "09:00"
Register-ScheduledTask -TaskName "Monitor Computer Account Changes" -Action $Action -Trigger $Trigger -RunLevel Highest
Warning: Excessive monitoring can generate significant log volume. Balance security needs with storage and performance requirements.

Overview

Event ID 4747 is a security audit event that fires when a computer account password is changed in Active Directory. This event appears in the Security log on domain controllers and provides detailed information about which computer account had its password modified, who initiated the change, and when it occurred.

Computer accounts in Active Directory automatically change their passwords every 30 days by default as part of normal domain security operations. However, this event can also indicate administrative password resets, machine rejoining the domain, or potential security issues if unexpected changes occur.

The event contains critical information including the target computer account name, the account that performed the change, logon session details, and timestamps. System administrators use this event to track computer account management activities and investigate unauthorized changes to machine accounts in their Active Directory environment.

This event is particularly valuable for security monitoring, compliance auditing, and troubleshooting domain trust issues. It helps administrators maintain visibility into computer account lifecycle management and detect anomalous password change patterns that might indicate security breaches or misconfigurations.

Frequently Asked Questions

What does Event ID 4747 mean and when should I be concerned?+
Event ID 4747 indicates that a computer account password has been changed in Active Directory. This is typically normal behavior as computer accounts automatically change their passwords every 30 days. You should be concerned if you see excessive password changes from the same computer account, changes initiated by unexpected user accounts, or changes occurring outside of normal business hours without corresponding administrative activities. Monitor for patterns that deviate from your organization's typical computer account management practices.
How can I distinguish between automatic and manual computer account password changes?+
Automatic password changes typically show 'lsass.exe' in the Process Name field and are initiated by the computer account itself (DOMAIN\COMPUTERNAME$). Manual changes usually show different process names like 'mmc.exe' for Active Directory Users and Computers, 'powershell.exe' for PowerShell commands, or other administrative tools. The Subject field will show the administrator account that initiated manual changes, while automatic changes show the computer account or SYSTEM as the subject.
Why am I seeing Event ID 4747 multiple times for the same computer?+
Multiple Event ID 4747 occurrences for the same computer can indicate several scenarios: normal password rotation cycles, domain trust issues causing repeated password reset attempts, computer account replication between domain controllers, or administrative troubleshooting activities. If you see frequent occurrences within short time periods, investigate the computer's domain trust relationship using Test-ComputerSecureChannel and check for underlying network or authentication issues that might be causing repeated password change attempts.
How do I configure audit policies to capture Event ID 4747?+
To capture Event ID 4747, you need to enable 'Audit Computer Account Management' under the Account Management category. Use Group Policy to configure this: navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Computer Account Management, and set it to 'Success' or 'Success and Failure'. You can also use the command line: auditpol /set /subcategory:"Computer Account Management" /success:enable. This policy should be applied to domain controllers to capture computer account password changes.
What should I do if Event ID 4747 shows unauthorized computer account password changes?+
If you detect unauthorized computer account password changes, immediately investigate the source account that initiated the change. Check if the account has legitimate permissions for computer account management and verify recent logon activities for that account. Review related security events (4624, 4625, 4648) to understand the authentication context. If compromise is suspected, disable the affected accounts, reset passwords, and conduct a thorough security investigation. Consider implementing additional monitoring for computer account management activities and review your privileged access management policies to prevent future unauthorized changes.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including computer account management eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring advanced audit policies for security monitoringhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4747#security-auditing#active-directory

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...