Event ID: 4728

A member was added to a security-enabled global group

A member was added to a security-enabled global group.

Subject:
    Security ID:        %6
    Account Name:       %7
    Account Domain:     %8
    Logon ID:           %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Group Name:         %3
    Group Domain:       %4

Additional Information:
    Privileges:         %10


Event ID 4728 is the same as event ID 4732, but event ID 4728 is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. You may reference the event fields, XML, and recommendations here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732

Auditing:     Always

Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.


Volume:     Low


ISO 27001:2013 A9.2.5
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2 (4)
CMMC L1




Name Field Insertion String OS Example
Account Name MemberName %1 Any CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local
Security ID MemberSid %2 Any DOMAIN\bSmith
Group Name TargetUserName %3 Any Your Group
Group Domain TargetDomainName %4 Any DOMAIN
Security ID TargetSid %5 Any DOMAIN\Your Group
Security ID SubjectUserSid %6 Any DOMAIN\TheAdmin
Account Name SubjectUserName %7 Any TheAdmin
Account Domain SubjectDomainName %8 Any DOMAIN
Logon ID SubjectLogonId %9 Any 0x3e7
Privileges PrivilegeList %10 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"



LEFT/RIGHT arrow keys for navigation

Back to List