Event ID: 4733

A member was removed from a security-enabled local group 

A member was removed from a security-enabled local group.

Subject:
    Security ID:        %6
    Account Name:       %7
    Account Domain:     %8
    Logon ID:           %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Group Name:         %3
    Group Domain:       %4

Additional Information:
    Privileges:         %10


This event generates every time member was removed from security-enabled (security) local group.

This event generates on domain controllers, member servers, and workstations.

For every removed member you will get separate 4733 event.

You will typically see “4735: A security-enabled local group was changed.” event without any changes in it prior to 4733 event.

Microsoft Documentation

Event ID - 4733



Name Field Insertion String OS Example
Account Name MemberName %1 Any CN=Auditor,CN=Users,DC=contoso,DC=local
Security ID MemberSid %2 Any S-1-5-21-3457937927-2839227994-823803824-2104
Group Name TargetUserName %3 Any AccountOperators
Group Domain TargetDomainName %4 Any DOMAIN
Security ID TargetSid %5 Any S-1-5-21-3457937927-2839227994-823803824-6605
Security ID SubjectUserSid %6 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %7 Any UserName
Account Domain SubjectDomainName %8 Any DOMAIN
Logon ID SubjectLogonId %9 Any 0x35e38
Privileges PrivilegeList %10 Any View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
Security Group Management
Legacy Events:
637

LEFT/RIGHT arrow keys for navigation

Back to List