SOC Event Lookup
Event ID 4738AccountMgmtP1

Windows Event ID 4738: A user account was changed

Windows Security Event ID 4738 records a change to a user account and provides visibility into security-relevant attribute modification.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

A domain controller logs the event when account properties such as UAC flags, delegation settings, password attributes, or profile fields are changed.

Key Fields

Subject

The account that performed the modification.

Target Account

The modified account. Compare old and new values with the expected identity state.

Changed Attributes

Fields such as User Account Control, AllowedToDelegateTo, and AccountExpires reveal the security impact of the change.

Common False Positives

  • HR systems and directory synchronization update account attributes routinely.
  • Administrators may modify account properties during access provisioning.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation

Detection Notes

T1098 is indicated when User Account Control enables DONT_REQ_PREAUTH, TRUSTED_FOR_DELEGATION, or PASSWORD_NEVER_EXPIRES, or AllowedToDelegateTo gains an SPN such as cifs/server. DONT_REQ_PREAUTH enables AS-REP roasting and delegation values expand impersonation paths. Review delegation changes in a window=60 minute interval with the initiating logon.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4738
| project TimeGenerated, Computer, Account, TargetAccount, UserAccountControl, AllowedToDelegateTo
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4738
| table _time, host, SubjectUserName, TargetUserName, UserAccountControl, AllowedToDelegateTo
Sample Log
Subject: CORP\admin.ops
Target Account: CORP\jsmith
User Account Control: Account enabled
AllowedToDelegateTo: cifs/file01.corp.example

Source