ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Security analyst monitoring Windows Event Viewer showing security audit logs on multiple displays
Event ID 4781InformationSecurityWindows

Windows Event ID 4781 – Security: Account Name Changed

Event ID 4781 records when a user account name is changed in Active Directory or local SAM database. Critical for security auditing and compliance tracking.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4781Security 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4781 represents a critical security audit event that documents user account name modifications across Windows environments. This event generates automatically when the sAMAccountName attribute changes in Active Directory or when a local user account name is modified through administrative tools or programmatic interfaces.

The event structure includes comprehensive details about the account modification, including the original account name, new account name, the security identifier (SID) of the account being changed, and the identity of the user performing the modification. The event also captures the logon session information, authentication package details, and the workstation from which the change originated.

From a security perspective, Event 4781 serves as a cornerstone for detecting unauthorized account modifications. Legitimate account name changes typically follow established procedures and occur during business hours by authorized administrators. Suspicious patterns include account name changes during off-hours, modifications by non-administrative users, or rapid sequences of account name changes that might indicate automated attack tools.

The event integrates with Windows Advanced Audit Policy Configuration and requires the 'Audit User Account Management' subcategory to be enabled. In domain environments, the event generates on domain controllers where the account modification occurs. For local accounts, the event appears on the specific system where the local user account resides.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually renaming user accounts through Active Directory Users and Computers
  • PowerShell scripts or automated tools modifying account names via Set-ADUser or Rename-LocalUser cmdlets
  • Third-party identity management systems synchronizing account changes
  • Exchange Server or other applications updating account attributes that include name changes
  • Migration tools renaming accounts during domain consolidation or restructuring
  • Malicious actors attempting to hide compromised accounts by changing names
  • Bulk account management operations using CSV imports or LDAP modifications
  • Service account name standardization projects
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event 4781 details to understand the account change context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4781 using the filter option in the Actions pane
  3. Double-click the event to view detailed information including:
    • Old Account Name: Original sAMAccountName
    • New Account Name: Modified sAMAccountName
    • Account Domain: Domain or computer name
    • Subject: User who performed the change
    • Logon ID: Session identifier for correlation
  4. Note the timestamp and correlate with any scheduled maintenance windows
  5. Check if the change aligns with documented administrative procedures
Pro tip: The Subject section shows the actual user account that performed the rename, which may differ from the logged-on user if using RunAs or delegation.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event 4781 occurrences across multiple systems.

  1. Query recent account name changes on the local system:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} -MaxEvents 50 | Select-Object TimeCreated, @{Name='OldName';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Old Account Name:'}) -replace '.*Old Account Name:\s*',''}}, @{Name='NewName';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'New Account Name:'}) -replace '.*New Account Name:\s*',''}}
  2. Search for specific account name changes:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} | Where-Object {$_.Message -match 'testuser'} | Format-Table TimeCreated, Id, LevelDisplayName
  3. Query domain controllers for AD account changes:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Invoke-Command -ComputerName $DC.HostName -ScriptBlock {
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} -MaxEvents 10
    }
}
  4. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} | Export-Csv -Path "C:\Temp\AccountNameChanges.csv" -NoTypeInformation
03

Investigate Account Change Patterns

Analyze patterns in account name changes to identify potential security issues or administrative trends.

  1. Check for suspicious timing patterns:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} | Group-Object @{Expression={$_.TimeCreated.Hour}} | Sort-Object Count -Descending
  2. Identify users frequently changing account names:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} | ForEach-Object {
    $Subject = ($_.Message -split '\n' | Where-Object {$_ -match 'Subject:'} | Select-Object -First 1) -replace '.*Account Name:\s*',''
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ChangedBy = $Subject
        Message = $_.Message
    }
} | Group-Object ChangedBy | Sort-Object Count -Descending
  3. Cross-reference with logon events (4624) to verify legitimate sessions:
    $LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624}
$NameChangeEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781}
# Correlate by Logon ID and timestamp
  4. Check Active Directory for additional account modifications:
    Get-ADUser -Filter * -Properties whenChanged, whenCreated | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-7)} | Select-Object Name, SamAccountName, whenChanged
Warning: Multiple rapid account name changes or changes during off-hours may indicate compromise or unauthorized access.
04

Configure Advanced Monitoring

Set up comprehensive monitoring for account name changes to improve security posture and compliance.

  1. Verify audit policy configuration:
    auditpol /get /subcategory:"User Account Management"
  2. Enable detailed auditing if not already configured:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
  3. Create a scheduled task to monitor for Event 4781:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} -MaxEvents 1 | Send-MailMessage -To 'admin@company.com' -From 'monitoring@company.com' -Subject 'Account Name Changed' -SmtpServer 'mail.company.com'"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
Register-ScheduledTask -TaskName "Monitor-AccountNameChanges" -Action $Action -Trigger $Trigger -Settings $Settings
  4. Configure Windows Event Forwarding for centralized collection:
    • On collector server: wecutil qc
    • Create subscription: wecutil cs subscription.xml
    • Configure source computers to forward Security events
  5. Set up SIEM integration using Windows Event Log forwarding or agents
05

Forensic Analysis and Response

Conduct thorough forensic analysis when suspicious account name changes are detected.

  1. Preserve evidence by exporting relevant event logs:
    wevtutil epl Security C:\Forensics\Security_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx
  2. Analyze the complete timeline around the account change:
    $StartTime = (Get-Date).AddHours(-2)
$EndTime = (Get-Date).AddHours(2)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Id -in @(4624,4625,4648,4672,4781)} | Sort-Object TimeCreated
  3. Check for related registry modifications:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -match 'SAM\\SAM\\Domains'}
  4. Examine process creation events around the time of change:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.TimeCreated -gt $StartTime -and $_.TimeCreated -lt $EndTime} | Select-Object TimeCreated, @{Name='Process';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'New Process Name:'}) -replace '.*New Process Name:\s*',''}}
  5. Document findings and implement containment measures if malicious activity is confirmed:
    • Reset passwords for affected accounts
    • Review and revoke unnecessary administrative privileges
    • Update security policies and monitoring rules
    • Conduct additional system scans for indicators of compromise
Pro tip: Correlate Event 4781 with network logon events (4624 type 3) to identify remote systems involved in the account modification.

Overview

Event ID 4781 fires whenever a user account name is modified in Windows, whether in Active Directory or the local Security Account Manager (SAM) database. This security audit event captures both the old and new account names, along with the identity of the user who performed the change. The event appears in the Security log and requires audit policy configuration to generate properly.

This event is essential for security monitoring because account name changes can indicate legitimate administrative actions or potentially malicious activity. Attackers sometimes rename accounts to hide their presence or create confusion during incident response. The event provides a complete audit trail showing who changed what account name, when the change occurred, and from which system.

Event 4781 generates on domain controllers for Active Directory accounts and on local systems for local user accounts. The event includes detailed information about the security context, including the logon ID and authentication package used. Understanding this event helps administrators maintain proper security oversight and meet compliance requirements for user account management.

Frequently Asked Questions

What does Windows Event ID 4781 mean and when does it occur?+
Event ID 4781 indicates that a user account name has been changed in Windows. This event fires whenever the sAMAccountName attribute is modified in Active Directory or when a local user account name is changed. The event captures both the old and new account names, along with details about who performed the change and when it occurred. It's generated on domain controllers for AD accounts and on local systems for local user accounts.
How can I tell if an Event 4781 represents legitimate administrative activity or a security threat?+
Legitimate Event 4781 occurrences typically happen during business hours by authorized administrators following documented procedures. Suspicious indicators include: account name changes during off-hours, modifications by non-administrative users, rapid sequences of name changes, changes to high-privilege accounts, or modifications from unexpected systems. Cross-reference the event with your change management records and verify the user performing the change had proper authorization.
Why am I not seeing Event 4781 in my Security log even though account names have been changed?+
Event 4781 requires proper audit policy configuration to generate. Check that 'Audit User Account Management' is enabled using 'auditpol /get /subcategory:"User Account Management"'. If disabled, enable it with 'auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable'. Also verify that the Security log isn't full and that log retention policies aren't causing events to be overwritten too quickly.
Can Event 4781 help me track down who renamed a specific user account?+
Yes, Event 4781 provides detailed information about account name changes including the Subject field which shows exactly who performed the modification. The event includes the user's account name, domain, and logon ID. You can use PowerShell to search for specific account changes: 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4781} | Where-Object {$_.Message -match 'oldaccountname'}' to find when a particular account was renamed and by whom.
How should I respond if I discover unauthorized account name changes through Event 4781?+
If Event 4781 reveals unauthorized account modifications, immediately preserve evidence by exporting the Security log, then investigate the timeline of events around the change. Check for related logon events (4624), privilege escalation (4672), and process creation (4688) events. Reset passwords for affected accounts, review administrative privileges, and scan for additional indicators of compromise. Document all findings and update security policies to prevent similar incidents. Consider implementing real-time monitoring for Event 4781 to catch future unauthorized changes quickly.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event 4781 and related account management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies required for Event 4781 generationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4781#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...