Event ID - 642

Event Id642
DescriptionUser Account Changed:

Target Account Name: <Target Account Name>
      Target Domain: <Target Domain>
      Target Account ID: <Target Account ID>
      Caller User Name: <Caller User Name>
      Caller Domain: <Caller Domain>
      Caller Logon ID: <Caller Logon ID>
      Privileges: <Privileges>      

Changed Attributes:
      Sam Account Name: <Sam Account Name>
      Display Name: <Display Name>
      User Principal Name: <User Principal Name>
      Home Directory: <Home Directory>
      Home Drive: <Home Drive>
      Script Path: <Script Path>
      Profile Path: <Profile Path>
      User Workstations: <User Workstations>
      Password Last Set: <Password Last Set>
      Account Expires: <Account Expires>
      Primary Group ID: <Primary Group ID>
      AllowedToDelegateTo: <AllowedToDelegateTo>
      Old UAC Value: <Old UAC Value>
      New UAC Value: <New UAC Value>
      User Account Control: <User Account Control>
      User Parameters: <User Parameters>
      Sid History: <Sid History>
      Logon Hours: <Logon Hours>     

Event InformationAccording to Microsoft:
Cause :
A security-relevant property of the user account was changed.

This event is generated only when one of the following properties changes: Sam Account Name, Display Name, User Principal Name, Home Directory, Home Drive, Script Path, Profile Path, User Workstations, Password Last Set, Account Expires, Primary Group ID, AllowedToDelegateTo, UserAccountControl bit list, User Account Control, User Parameters, Sid History, or Logon Hours.
Resolution :
No user action is required.


This event indicates that a user account has been changed. There is no Failure Audit form for this audit event record. User account changes can have security implications.The administrator should confirm that there are no security implications because of this change.

Note that this event replaces Security event 626 and Security event 629.
Reference LinksEvent ID 642 from Source security

Alternate Event ID in Vista and Windows Server 2008 is 4738.

Tracking User Activities (White Paper)

Some changes to SAM accounts are not explained in audit event 642

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.