Event ID 4732
A member was added to a security-enabled local groupA member was added to a security-enabled local group.
Subject:
Security ID: %6
Account Name: %7
Account Domain: %8
Logon ID: %9
Member:
Security ID: %2
Account Name: %1
Group:
Security ID: %5
Group Name: %3
Group Domain: %4
Additional Information:
Privileges: %10This event generates every time a new member was added to a security-enabled (security) local group.
This event generates on domain controllers, member servers, and workstations.
For every added member you will get separate 4732 event.
You will typically see “4735: A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
Auditing:
Always
Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.
Volume:
Low
ISO 27001:2013 A.9.2.5
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2 (4)
CMMC v2 L1: AC.L1-3.1.1
Microsoft Documentation
| Name | Field | Insertion String | OS | Example | ||
|---|---|---|---|---|---|---|
| Account Name | MemberName | %1 | Any | CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local | ||
| Security ID | MemberSid | %2 | Any | DOMAIN\bSmith | ||
| Group Name | TargetUserName | %3 | Any | AccountOperators | ||
| Group Domain | TargetDomainName | %4 | Any | DOMAIN | ||
| Security ID | TargetSid | %5 | Any | DOMAIN\AccountOperators | ||
| Security ID | SubjectUserSid | %6 | Any | DOMAIN\TheAdmin | ||
| Account Name | SubjectUserName | %7 | Any | TheAdmin | ||
| Account Domain | SubjectDomainName | %8 | Any | DOMAIN | ||
| Logon ID | SubjectLogonId | %9 | Any | 0x3031e | ||
| Privileges | PrivilegeList | %10 | Any | View Codes | ||
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Security Group Management"
LEFT/RIGHT arrow keys for navigation
Back to List