Event ID: 4627Group membership information
Group membership information. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Logon Type: %9 New Logon: Security ID: %5 Account Name: %6 Account Domain: %7 Logon ID: %8 Event in sequence: %10 of %11 Group Membership: %12 The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
This event shows extended group membership information for a user logon session. This event generates along with with event ID 4624 and shows the list of groups that the logged-on account belongs to. Multiple event 4626's are generated if the group membership information cannot fit in a single security audit event.
It is recommended to enable auditing for all associated categories on domain controllers, servers and workstations.
Volume may be high on busy domain controllers.
|Security ID||SubjectUserSid||%1||Any||NULL SID|
|Logon Type||LogonType||%9||Any||View Codes|
|Event in sequence||EventIdx||%10||Any||1|
|Events in sequence||EventCountTotal||%11||Any||1|
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Group Membership"
LEFT/RIGHT arrow keys for navigationBack to List