ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Active Directory computer account events and audit logs
Event ID 4750InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4750 – Microsoft-Windows-Security-Auditing: Computer Account Password Changed

Event ID 4750 logs when a computer account password is changed in Active Directory. This security audit event tracks machine account password updates, typically occurring every 30 days automatically or during manual resets.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4750Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4750 represents a fundamental security audit event in Windows Active Directory environments. When a computer account password changes, whether through automatic processes or manual intervention, the domain controller generates this event and logs it to the Security event log. The event provides comprehensive details about the password change operation, including the security identifier (SID) of the target computer account, the account that initiated the change, and the logon session information.

Computer accounts in Active Directory domains automatically refresh their passwords every 30 days by default, controlled by the MaximumPasswordAge registry setting. This automatic process ensures security while maintaining domain trust relationships. Event ID 4750 captures these routine operations alongside manual password resets performed by administrators using tools like Active Directory Users and Computers or PowerShell cmdlets.

The event structure includes several key fields: the target account name and domain, the subject account performing the change, privilege information, and process details. Security teams use this information to establish baselines for normal computer account behavior and identify deviations that might indicate compromise or misconfiguration. Modern security information and event management (SIEM) systems parse these events to create automated alerts for suspicious computer account activities.

In enterprise environments, Event ID 4750 volume can be substantial due to the number of domain-joined computers automatically changing passwords. Proper log management and filtering become crucial for effective security monitoring without overwhelming administrators with routine events.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Automatic computer account password change (default 30-day cycle)
  • Manual password reset using Active Directory Users and Computers
  • PowerShell cmdlet execution (Reset-ComputerMachinePassword, Set-ADAccountPassword)
  • Domain controller replication triggering password synchronization
  • Computer rejoining the domain after being removed
  • Trust relationship repair operations
  • Third-party Active Directory management tools performing bulk operations
  • Automated scripts or scheduled tasks managing computer accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to the Security log to examine Event ID 4750 details:

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. In the Actions pane, click Filter Current Log
  4. Enter 4750 in the Event IDs field and click OK
  5. Double-click any Event ID 4750 entry to view details
  6. Review the following key fields:
    • Subject Account Name: Who performed the password change
    • Target Account Name: Which computer account was modified
    • Target Domain: Domain containing the computer account
    • Logon ID: Session identifier for correlation
Pro tip: Look for patterns in the Subject Account Name field. Automatic changes typically show the computer account itself as the subject, while manual changes show administrator accounts.
02

Query Events with PowerShell

Use PowerShell to query and analyze Event ID 4750 occurrences across your environment:

# Get recent computer account password changes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750} -MaxEvents 50 | 
    Select-Object TimeCreated, @{Name='Computer';Expression={$_.Properties[0].Value}}, 
    @{Name='Subject';Expression={$_.Properties[1].Value}} | Format-Table -AutoSize

# Filter for specific computer account
$ComputerName = "WORKSTATION01$"
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750} | 
    Where-Object {$_.Properties[0].Value -like "*$ComputerName*"} | 
    Select-Object TimeCreated, Message

# Check for manual password changes (non-computer account subjects)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750} -MaxEvents 100 | 
    Where-Object {$_.Properties[1].Value -notlike "*$"} | 
    Format-List TimeCreated, @{Name='Target';Expression={$_.Properties[0].Value}}, 
    @{Name='ChangedBy';Expression={$_.Properties[1].Value}}

For domain controllers, query multiple servers simultaneously:

$DomainControllers = @("DC01", "DC02", "DC03")
$Results = @()
foreach ($DC in $DomainControllers) {
    $Events = Get-WinEvent -ComputerName $DC -FilterHashtable @{LogName='Security'; Id=4750} -MaxEvents 20 -ErrorAction SilentlyContinue
    $Results += $Events | Select-Object @{Name='DC';Expression={$DC}}, TimeCreated, @{Name='Computer';Expression={$_.Properties[0].Value}}
}
$Results | Sort-Object TimeCreated -Descending | Format-Table -AutoSize
03

Analyze Computer Account Password Policy Settings

Verify and adjust computer account password policy settings that control Event ID 4750 frequency:

  1. Check current domain policy settings:
    # Query domain password policy
Get-ADDefaultDomainPasswordPolicy | Select-Object MaxPasswordAge, MinPasswordAge

# Check computer account password age setting
$Domain = Get-ADDomain
$DomainDN = $Domain.DistinguishedName
Get-ADObject -Filter {objectClass -eq "domainDNS"} -SearchBase $DomainDN -Properties ms-DS-MachineAccountQuota, maxPwdAge
  2. Review registry settings on domain controllers:
    # Check maximum password age (default 2592000 seconds = 30 days)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name MaximumPasswordAge -ErrorAction SilentlyContinue

# Verify disable password change setting
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name DisablePasswordChange -ErrorAction SilentlyContinue
  3. For specific computer accounts, check last password change:
    Get-ADComputer -Identity "WORKSTATION01" -Properties PasswordLastSet, whenChanged | 
    Select-Object Name, PasswordLastSet, whenChanged, @{Name='DaysOld';Expression={(Get-Date) - $_.PasswordLastSet | Select-Object -ExpandProperty Days}}
Warning: Modifying computer account password policies can affect domain security and trust relationships. Test changes in a lab environment first.
04

Investigate Suspicious Computer Account Activities

Correlate Event ID 4750 with other security events to identify potential security issues:

  1. Search for related authentication events:
    # Look for failed computer account authentications around password changes
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date

# Get computer account password changes
$PasswordChanges = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750; StartTime=$StartTime; EndTime=$EndTime}

# Check for authentication failures (Event ID 4625) for the same accounts
foreach ($Event in $PasswordChanges) {
    $ComputerAccount = $Event.Properties[0].Value
    $ChangeTime = $Event.TimeCreated
    
    $AuthFailures = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=$ChangeTime.AddHours(-2); EndTime=$ChangeTime.AddHours(2)} | 
        Where-Object {$_.Properties[5].Value -eq $ComputerAccount}
    
    if ($AuthFailures) {
        Write-Output "Potential issue with $ComputerAccount at $ChangeTime"
        $AuthFailures | Select-Object TimeCreated, @{Name='FailureReason';Expression={$_.Properties[8].Value}}
    }
}
  2. Check for unusual password change patterns:
    # Identify computers with frequent password changes (potential security issue)
$RecentChanges = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750; StartTime=(Get-Date).AddDays(-30)}
$ChangesByComputer = $RecentChanges | Group-Object {$_.Properties[0].Value} | 
    Where-Object {$_.Count -gt 5} | 
    Select-Object Name, Count, @{Name='LastChange';Expression={($_.Group | Sort-Object TimeCreated -Descending)[0].TimeCreated}}

$ChangesByComputer | Format-Table -AutoSize
  3. Verify trust relationships for affected computers:
    # Test secure channel for computers with recent password changes
$ComputerNames = $PasswordChanges | ForEach-Object {($_.Properties[0].Value -replace '\$$', '')}
foreach ($Computer in $ComputerNames) {
    try {
        $TrustTest = Test-ComputerSecureChannel -ComputerName $Computer -ErrorAction Stop
        Write-Output "$Computer`: Trust OK - $TrustTest"
    } catch {
        Write-Warning "$Computer`: Trust issue - $($_.Exception.Message)"
    }
}
05

Configure Advanced Monitoring and Alerting

Set up comprehensive monitoring for Event ID 4750 to detect anomalies and security issues:

  1. Create a custom Event Viewer view for computer account monitoring:
    • Open Event Viewer and right-click Custom Views
    • Select Create Custom View
    • Set Event level to Information
    • Enter 4750,4740,4767 in Event IDs (password change, account locked, password failed)
    • Set Event logs to Security
    • Name the view "Computer Account Security Events"
  2. Configure PowerShell-based monitoring script:
    # Advanced monitoring script for computer account password changes
param(
    [int]$MaxEvents = 100,
    [int]$AlertThreshold = 3,
    [string]$SMTPServer = "mail.company.com",
    [string]$AlertEmail = "security@company.com"
)

$StartTime = (Get-Date).AddHours(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4750; StartTime=$StartTime} -MaxEvents $MaxEvents -ErrorAction SilentlyContinue

if ($Events) {
    # Group by computer and check for excessive changes
    $SuspiciousActivity = $Events | Group-Object {$_.Properties[0].Value} | 
        Where-Object {$_.Count -ge $AlertThreshold}
    
    if ($SuspiciousActivity) {
        $AlertBody = "Suspicious computer account password activity detected:`n`n"
        foreach ($Activity in $SuspiciousActivity) {
            $AlertBody += "Computer: $($Activity.Name) - $($Activity.Count) password changes in last hour`n"
        }
        
        # Send alert email (configure SMTP settings as needed)
        Send-MailMessage -To $AlertEmail -From "monitoring@company.com" -Subject "Computer Account Security Alert" -Body $AlertBody -SmtpServer $SMTPServer
    }
    
    # Log summary to Windows Event Log
    $EventCount = $Events.Count
    Write-EventLog -LogName Application -Source "Computer Account Monitor" -EventId 1001 -EntryType Information -Message "Processed $EventCount computer account password changes in the last hour"
}
  3. Set up Windows Task Scheduler to run the monitoring script:
    # Create scheduled task for monitoring
$TaskName = "Computer Account Password Monitor"
$ScriptPath = "C:\Scripts\ComputerAccountMonitor.ps1"

$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File `"$ScriptPath`""
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM" -RunLevel Highest
Pro tip: Integrate Event ID 4750 monitoring with your SIEM solution using Windows Event Forwarding (WEF) to centralize computer account security monitoring across your entire domain.

Overview

Event ID 4750 fires when a computer account password is changed in Active Directory. This security audit event appears in the Security log on domain controllers and provides detailed information about machine account password modifications. Computer accounts automatically change their passwords every 30 days by default, making this a common and expected event in healthy Active Directory environments.

The event captures critical details including the target computer account, the account that performed the change, and timestamp information. Domain administrators rely on this event to track machine account security activities and identify unauthorized password changes. In Windows Server 2025 and modern environments, this event integrates with advanced threat protection systems to detect anomalous computer account activities.

Understanding Event ID 4750 is essential for security monitoring, compliance auditing, and troubleshooting domain trust issues. The event helps distinguish between normal automatic password changes and potentially suspicious manual modifications that could indicate security breaches or administrative errors.

Frequently Asked Questions

What does Event ID 4750 mean and why does it appear so frequently?+
Event ID 4750 indicates that a computer account password has been changed in Active Directory. It appears frequently because domain-joined computers automatically change their passwords every 30 days by default as a security measure. This automatic process ensures that machine accounts maintain secure authentication with domain controllers while preventing password staleness that could compromise domain trust relationships.
How can I distinguish between automatic and manual computer account password changes in Event ID 4750?+
Check the 'Subject Account Name' field in the event details. Automatic password changes typically show the computer account itself (ending with $) as the subject performing the change. Manual changes show human administrator accounts or service accounts. Additionally, automatic changes occur roughly every 30 days, while manual changes happen irregularly and often correlate with administrative activities or troubleshooting efforts.
Should I be concerned about multiple Event ID 4750 entries for the same computer in a short time period?+
Yes, multiple password changes for the same computer account within a short timeframe can indicate problems. Potential causes include trust relationship issues, time synchronization problems, domain controller replication conflicts, or security breaches. Investigate by checking for related authentication failures (Event ID 4625), verifying the secure channel with Test-ComputerSecureChannel, and reviewing the accounts that initiated the changes.
Can Event ID 4750 help detect compromised computer accounts?+
Absolutely. Event ID 4750 is valuable for security monitoring when analyzed with other events. Look for unusual patterns such as password changes initiated by unexpected accounts, changes occurring outside normal business hours, or computers changing passwords more frequently than the 30-day default. Correlate with failed authentication attempts, privilege escalation events, and network access logs to identify potential compromises.
How do I reduce Event ID 4750 log volume without compromising security monitoring?+
Implement selective logging strategies: configure audit policies to log only manual password changes by filtering out automatic computer-initiated changes, use Event Log subscriptions to forward only suspicious patterns to central monitoring systems, set up log rotation with appropriate retention periods, and leverage SIEM tools to aggregate and analyze patterns rather than individual events. You can also adjust the MaximumPasswordAge setting to reduce frequency, but this may impact security posture.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4750 and related computer account security events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Active Directory Computer Account ManagementOfficial documentation covering computer account security, password policies, and trust relationship management in Active Directory environments.https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4750#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...