⚑ Deus Ex Machina ➽ Eventlog Lookup

Navigation

• Windows Event Logs
• Events by ID
• Windows Registry
• STOP errors
• SW Package Info
• KB Articles
• Logfile Lines
• HTTP Headers

Error Codes/Statuses

• NTStatus/NTIOLogic/Netevent/pdh Codes
• WinError Codes
• Clusvmsg Codes
• VSSError Codes
• WinLDAP Codes
• LMErr Codes
• ESENT98/Jet Codes
• Schannel/TLS Codes
• WBEMCli Codes
• WUError Codes

Microsoft Windows security auditing - 4738

• Source » Microsoft Windows security auditing
• Event ID » 4738
• Type » Success
• Category » User Account Management
• User » N/A
• Computer » LOCALCOMPUTERNAME
• Log » Security
• Opcode » Info
• Keywords » Audit Success
• InstanceID » 0

Description »

A user account was changed.

Subject:
	Security ID:		NTDOMAIN\asmith
	Account Name:		asmith
	Account Domain:		NTDOMAIN
	Logon ID:		0x29AA6

Target Account:
	Security ID:		LOCALCOMPUTERNAME\TESTZZ
	Account Name:		TESTZZ
	Account Domain:		LOCALCOMPUTERNAME

Changed Attributes:
	SAM Account Name:	TESTZZ
	Display Name:		TESTZZ
	User Principal Name:	-
	Home Directory:		<value not set>
	Home Drive:		<value not set>
	Script Path:		<value not set>
	Profile Path:		<value not set>
	User Workstations:	<value not set>
	Password Last Set:	01/01/2014 14:19:32
	Account Expires:		<never>
	Primary Group ID:	513
	AllowedToDelegateTo:	-
	Old UAC Value:		0x10
	New UAC Value:		0x10
	User Account Control:	-
	User Parameters:	-
	SID History:		-
	Logon Hours:		All

Additional Information:

Data formatted as » EventData

 Dummy - 
  TargetUserName TESTZZ 
  TargetDomainName LOCALCOMPUTERNAME 
  TargetSid S-1-5-21-1901825159-2140724311-413569567-1003 
  SubjectUserSid S-1-5-21-245765006-1623854500-3105827926-60516 
  SubjectUserName asmith 
  SubjectDomainName NTDOMAIN 
  SubjectLogonId 0x29aa6 
  PrivilegeList - 
  SamAccountName TESTZZ 
  DisplayName TESTZZ 
  UserPrincipalName - 
  HomeDirectory %%1793 
  HomePath %%1793 
  ScriptPath %%1793 
  ProfilePath %%1793 
  UserWorkstations %%1793 
  PasswordLastSet 01/01/2014 14:19:32 
  AccountExpires %%1794 
  PrimaryGroupId 513 
  AllowedToDelegateTo - 
  OldUacValue 0x10 
  NewUacValue 0x10 
  UserAccountControl - 
  UserParameters - 
  SidHistory - 
  LogonHours %%1797 

---

A local (not active directory) user account has been changed. This may be a password reset, or may be any attribute of the account being changed (eg the Full Name or Description).

The changes will be somewhere in the description and the eventdata, but note that not everything that appears to have changed actually has done. For example - the above sample is from a password reset, using the lusrmgr.msc mmc snap-in, but this also seems to result changes to (among other things) the home folder, password expiry and logon hours, even though only the password (and therefore the password last set attribute) has been changed. This behaviour is the same when using net user [username] Pa55w0rd! to set the password.

The "subject" account is the one which has made the change. The "target" account is the one to which the change was made.