Event ID 4728

A member was added to a security-enabled global group

A member was added to a security-enabled global group.

Subject:
    Security ID:        %6
    Account Name:       %7
    Account Domain:     %8
    Logon ID:           %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Group Name:         %3
    Group Domain:       %4

Additional Information:
    Privileges:         %10

Event ID 4728 is the same as event ID 4732, but event ID 4728 is generated for a global security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. You may reference the event fields, XML, and recommendations here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732

Auditing: Always

Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.

Volume: Low

ISO 27001:2013 A9.2.5
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2 (4)
CMMC v2 L1: AC.L1-3.1.1

	Field	Insertion String	OS	Example
Account Name	MemberName	%1	Any	CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local
Security ID	MemberSid	%2	Any	DOMAIN\bSmith
Group Name	TargetUserName	%3	Any	Your Group
Group Domain	TargetDomainName	%4	Any	DOMAIN
Security ID	TargetSid	%5	Any	DOMAIN\Your Group
Security ID	SubjectUserSid	%6	Any	DOMAIN\TheAdmin
Account Name	SubjectUserName	%7	Any	TheAdmin
Account Domain	SubjectDomainName	%8	Any	DOMAIN
Logon ID	SubjectLogonId	%9	Any	0x3e7
Privileges	PrivilegeList	%10	Any	View Codes

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Security Group Management"

How to enable Windows Auditing

Recommended Audit Policy

Legacy Events:

632

LEFT/RIGHT arrow keys for navigation

Back to List

Event ID 4728

Lookup Audit Policy Configuration Settings

Operating Systems:

Tags:

Audit Category:

Audit Subcategory:

Legacy Events: