Event-o-Pedia EventID 4738 - A user account was changed.

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->User Account Management->EventID 4738 - A user account was changed.

EventID 4738 - A user account was changed.

Indicates that a user account ("Target Account") was successfully changed by "Subject" user.

Note:
In some cases the actual change may be not reflected in this event but another event will be created to show the details of the change. For example, if the user account name is changed, EventID 4781 will reflect this.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000/XP

EventID 642 - User account changed [Win 2000]

Windows 2003

EventID 642 - User Account Changed [Win 2003]

Sample:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/28/2009 8:29:29 PM
Event ID:      4738
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A user account was changed.
Subject:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-500
	Account Name:		ALebovsky
	Account Domain:		LOGISTICS
	Logon ID:		0x2a88a
Target Account:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1145
	Account Name:		Paul
	Account Domain:		LOGISTICS
Changed Attributes:
	SAM Account Name:	-
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	10/28/2009 10:29:29 AM
	Account Expires:		-
	Primary Group ID:	-
	AllowedToDelegateTo:	-
	Old UAC Value:		-
	New UAC Value:		-
	User Account Control:	-
	User Parameters:	-
	SID History:		-
	Logon Hours:		-
Additional Information:
	Privileges:		-
===========================
Description template stored in adtschema.dll:
===========================
A user account was changed.

Subject:
	Security ID:		%5
	Account Name:		%6
	Account Domain:		%7
	Logon ID:		%8

Target Account:
	Security ID:		%4
	Account Name:		%2
	Account Domain:		%3

Changed Attributes:
	SAM Account Name:	%10
	Display Name:		%11
	User Principal Name:	%12
	Home Directory:		%13
	Home Drive:		%14
	Script Path:		%15
	Profile Path:		%16
	User Workstations:	%17
	Password Last Set:	%18
	Account Expires:		%19
	Primary Group ID:	%20
	AllowedToDelegateTo:	%21
	Old UAC Value:		%22
	New UAC Value:		%23
	User Account Control:	%24
	User Parameters:	%25
	SID History:		%26
	Logon Hours:		%27

Additional Information:
	Privileges:		%9

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Account Management
Source	Microsoft-Windows-Security-Auditing
TaskCategory	User Account Management
EventId	4738

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		-
Whom		-
Object Type		-
Class Name		-
Security ID		-
Account Name		-
Account Domain		-
Subject: Account Name	Name of the account that initiated the action.	InsertionString6	ALebovsky
Subject: Account Domain	Name of the domain that account initiating the action belongs to.	InsertionString7	LOGISTICS
Subject: Logon ID	A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.	InsertionString8	0x2a88a
Subject: Security ID		InsertionString5	S-1-5-21-1135140816-2109348461-2107143693-500
Target Account: Security ID		InsertionString4	S-1-5-21-1135140816-2109348461-2107143693-1145
Target Account: Account Name		InsertionString2	Paul
Target Account: Account Domain		InsertionString3	LOGISTICS
Changed Attributes: SAM Account Name		InsertionString10	-
Changed Attributes: Display Name		InsertionString11	-
Changed Attributes: User Principal Name		InsertionString12	-
Changed Attributes: Home Directory		InsertionString13	-
Changed Attributes: Home Drive		InsertionString14	-
Changed Attributes: Script Path		InsertionString15	-
Changed Attributes: Profile Path		InsertionString16	-
Changed Attributes: User Workstations		InsertionString17	-
Changed Attributes: Password Last Set		InsertionString18	10/28/2009 10:29:29 AM
Changed Attributes: Account Expires		InsertionString19	-
Changed Attributes: Primary Group ID		InsertionString20	-
Changed Attributes: AllowedToDelegateTo		InsertionString21	-
Changed Attributes: Old UAC Value		InsertionString22	-
Changed Attributes: New UAC Value		InsertionString23	-
Changed Attributes: User Account Control		InsertionString24	-
Changed Attributes: User Parameters		InsertionString25	-
Changed Attributes: SID History		InsertionString26	-
Changed Attributes: Logon Hours		InsertionString27	-
Additional Information: Privileges		InsertionString9	-