From cf981b2e64eff504394f5e7087bd7f94ca1870ed Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 31 Oct 2019 15:53:14 -0600 Subject: [PATCH] Update windows/security/threat-protection/auditing/event-4738.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-4738.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 7f5810c9b2..7bbfa91e88 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -196,7 +196,7 @@ Typical **Primary Group** values for user accounts: - **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here. -To decode this value, you can go through the property value definitions in the ["User’s or Computer’s account UAC flags."](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. +To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. Here's an example: Flags value from event: 0x15