Event ID: 4627

Group membership information

Group membership information.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Logon Type:             %9

New Logon:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Event in sequence:      %10 of %11

Group Membership:       %12

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
Microsoft Documentation

Event ID - 4627

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any NULL SID
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x0
Security ID TargetUserSid %5 Any THECOMPANY\TheUser
Account Name TargetUserName %6 Any TheUser
Account Domain TargetDomainName %7 Any TheUser
Logon ID TargetLogonId %8 Any 0x569790
Logon Type LogonType %9 Any View Codes
Event in sequence EventIdx %10 Any 1
Event in sequence EventCountTotal %11 Any 1
Group Membership GroupMembership %12 Any Everyone,BUILTIN\Administrators,BUILTIN\Users

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Group Membership"
How to enable Windows Auditing

Operating Systems:
Windows 10 Windows 2016 Windows 2019

Audit Category:

Audit Subcategory:
Group Membership
Correlated Events:

LEFT/RIGHT arrow keys for navigation

Back to List