4738: User account Change Expand / Collapse
Author
Message
Posted 5/3/2017 6:27:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/3/2017 6:14:55 AM
Posts: 1, Visits: 0
When 4738 (User Account Changed) event is created
Post #7363
Posted 5/3/2017 1:12:45 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
This event is generated anytime a user property is changed.
Post #7367
Posted 10/9/2019 11:49:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/9/2019 10:23:51 AM
Posts: 2, Visits: 0
How can I get ALL attribute changes of a user account recorded in the security event log? If I edit attributes like 'home directory' then it will recorded in the event log. If I edit an attribute that is custom, the change is not recorded. Any ideas? Thank you
Post #8596
Posted 10/21/2019 10:27:12 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 22, Visits: 0
Only the event fields in the event will be logged. This is what Microsoft says about the event fields:

This event generates every time user object is changed.

This event generates on domain controllers, member servers, and workstations.

For each change, a separate 4738 event will be generated.

You might see this event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the discretionary access control list (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.

Some changes do not invoke a 4738 event.
Post #8598
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 3:15pm