Event ID: 4627

Group membership information

Group membership information.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Logon Type:             %9

New Logon:
    Security ID:        %5
    Account Name:       %6
    Account Domain:     %7
    Logon ID:           %8

Event in sequence:      %10 of %11

Group Membership:       %12

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.


This event shows extended group membership information for a user logon session. This event generates along with with event ID 4624 and shows the list of groups that the logged-on account belongs to. Multiple event 4626's are generated if the group membership information cannot fit in a single security audit event.

Auditing:     Always

It is recommended to enable auditing for all associated categories on domain controllers, servers and workstations.


Volume:     Low Medium High

Volume may be high on busy domain controllers.


Microsoft Documentation

Event ID - 4627



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any NULL SID
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x0
Security ID TargetUserSid %5 Any THECOMPANY\TheUser
Account Name TargetUserName %6 Any TheUser
Account Domain TargetDomainName %7 Any THECOMPANY
Logon ID TargetLogonId %8 Any 0x569790
Logon Type LogonType %9 Any View Codes
Event in sequence EventIdx %10 Any 1
Events in sequence EventCountTotal %11 Any 1
Group Membership GroupMembership %12 Any Everyone,BUILTIN\Administrators,BUILTIN\Users


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Group Membership"


Audit Category:
Logon/Logoff

Audit Subcategory:
Group Membership
Correlated Events:
4624

LEFT/RIGHT arrow keys for navigation

Back to List