Security Event ID 4738 – A user account was changed
This event generates every time user object is changed.
This event generates on domain controllers, member servers, and workstations.
For each change, a separate 4738 event will be generated.
You might see this event without any changes inside, that is, where all Changed Attributes appear as -
. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the discretionary access control list (DACL) is changed, a 4738 event will generate, but all attributes will be -
.
Security Monitoring Recommendations
For 4738(S): A user account was changed.
-
Some organizations monitor every 4738 event.
-
If you have critical user computer accounts (for example, domain administrator accounts or service accounts) for which you need to monitor each change, monitor this event with the “Target Account\Account Name” that corresponds to the critical account or accounts.
-
If you have user accounts for which any change in the services list on the Delegation tab should be monitored, monitor this event when AllowedToDelegateTo is not -. This value means the services list was changed.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. You can also share the feedback on below windows techno email id.
If you have any question feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.