Windows Event ID 4738: A user account was changed
Windows Security Event ID 4738 records a change to a user account and provides visibility into security-relevant attribute modification.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
A domain controller logs the event when account properties such as UAC flags, delegation settings, password attributes, or profile fields are changed.
Key Fields
Subject
The account that performed the modification.
Target Account
The modified account. Compare old and new values with the expected identity state.
Changed Attributes
Fields such as User Account Control, AllowedToDelegateTo, and AccountExpires reveal the security impact of the change.
Common False Positives
- HR systems and directory synchronization update account attributes routinely.
- Administrators may modify account properties during access provisioning.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
T1098 is indicated when User Account Control enables DONT_REQ_PREAUTH, TRUSTED_FOR_DELEGATION, or PASSWORD_NEVER_EXPIRES, or AllowedToDelegateTo gains an SPN such as cifs/server. DONT_REQ_PREAUTH enables AS-REP roasting and delegation values expand impersonation paths. Review delegation changes in a window=60 minute interval with the initiating logon.
SecurityEvent
| where EventID == 4738
| project TimeGenerated, Computer, Account, TargetAccount, UserAccountControl, AllowedToDelegateTo
| order by TimeGenerated descindex=wineventlog EventCode=4738
| table _time, host, SubjectUserName, TargetUserName, UserAccountControl, AllowedToDelegateToSubject: CORP\admin.ops
Target Account: CORP\jsmith
User Account Control: Account enabled
AllowedToDelegateTo: cifs/file01.corp.example