Event ID 4733
A member was removed from a security-enabled local groupA member was removed from a security-enabled local group. Subject: Security ID: %6 Account Name: %7 Account Domain: %8 Logon ID: %9 Member: Security ID: %2 Account Name: %1 Group: Security ID: %5 Group Name: %3 Group Domain: %4 Additional Information: Privileges: %10
This event generates every time member was removed from security-enabled (security) local group.
This event generates on domain controllers, member servers, and workstations.
For every removed member you will get separate 4733 event.
You will typically see “4735: A security-enabled local group was changed.” event without any changes in it prior to 4733 event.
Microsoft Documentation
Name | Field | Insertion String | OS | Example | ||
---|---|---|---|---|---|---|
Account Name | MemberName | %1 | Any | CN=Auditor,CN=Users,DC=contoso,DC=local | ||
Security ID | MemberSid | %2 | Any | S-1-5-21-3457937927-2839227994-823803824-2104 | ||
Group Name | TargetUserName | %3 | Any | AccountOperators | ||
Group Domain | TargetDomainName | %4 | Any | DOMAIN | ||
Security ID | TargetSid | %5 | Any | S-1-5-21-3457937927-2839227994-823803824-6605 | ||
Security ID | SubjectUserSid | %6 | Any | S-1-5-21-3457937927-2839227994-823803824-1104 | ||
Account Name | SubjectUserName | %7 | Any | UserName | ||
Account Domain | SubjectDomainName | %8 | Any | DOMAIN | ||
Logon ID | SubjectLogonId | %9 | Any | 0x35e38 | ||
Privileges | PrivilegeList | %10 | Any | View Codes |
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"Security Group Management"
LEFT/RIGHT arrow keys for navigation
Back to List