Event ID: 4732A member was added to a security-enabled local group
A member was added to a security-enabled local group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10
This event generates every time a new member was added to a security-enabled (security) local group.
This event generates on domain controllers, member servers, and workstations.
For every added member you will get separate 4732 event.
You will typically see “4735: A security-enabled local group was changed.” event without any changes in it prior to 4732 event.
Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.
ISO 27001:2013 A.9.2.5
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2 (4)
|Account Name||MemberName||%1||Any||CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local|
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Security Group Management"
LEFT/RIGHT arrow keys for navigationBack to List