Event ID 4735

A security-enabled local group was changed 

A security-enabled local group was changed.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

Group:
    Security ID:        %3
    Group Name:         %1
    Group Domain:       %2

Changed Attributes:
    SAM Account Name:   %9
    SID History:        %10

Additional Information:
    Privileges:         %8


This event generates every time a security-enabled (security) local group is changed.

This event generates on domain controllers, member servers, and workstations.

Some changes do not invoke a 4735 event, for example, changes made using Active Directory Users and Computers management console in Managed By tab in group account properties.

If you change the name of the group (SAM Account Name), you also get “4781 The name of an account was changed” if “Audit User Account Management” subcategory success auditing is enabled.

If you change the group type, you get a change event from the new group type auditing subcategory instead of 4735. If you need to monitor for group type changes, it is better to monitor for “4764 A group’s type was changed.” These events are generated for any group type when group type is changed. “Audit Security Group Management” subcategory success auditing must be enabled.

From 4735 event you can get information about changes of sAMAccountName and sIDHistory attributes or you will see that something changed, but will not be able to see what exactly changed.

Microsoft Documentation

Event ID - 4735



Name Field Insertion String OS Example
Group Name TargetUserName %1 Any AccountOperators\_NEW
Group Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-6605
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any UserName
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x3031e
Privileges PrivilegeList %8 Any View Codes
SAM Account Name SamAccountName %9 Any AccountOperators\_NEW
SID History SidHistory %10 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
Security Group Management
Legacy Events:
639

Correlated Events:
4735 4764 4781

LEFT/RIGHT arrow keys for navigation

Back to List