Event ID 4747

A member was removed from a security-disabled local group 

A member was removed from a security-disabled local group.

Subject:
    Security ID:    %6
    Account Name:   %7
    Account Domain: %8
    Logon ID:       %9

Member:
    Security ID:    %2
    Account Name:   %1

Group:
    Security ID:  %5
    Group Name:   %3
    Group Domain: %4

Additional Information:
    Privileges:     %10




Name Field Insertion String OS Example
Account Name MemberName %1 Any CN=Andrei,CN=Users,DC=hqcorp,DC=local
Security ID MemberSid %2 Any S-1-5-21-1913345275-1711810662-261465553-1120
Group Name TargetUserName %3 Any Distribution Local Group New
Group Domain TargetDomainName %4 Any DOMAIN
Security ID TargetSid %5 Any S-1-5-21-1913345275-1711810662-261465553-1144
Security ID SubjectUserSid %6 Any S-1-5-21-1913345275-1711810662-261465553-500
Account Name SubjectUserName %7 Any Administrator
Account Domain SubjectDomainName %8 Any DOMAIN
Logon ID SubjectLogonId %9 Any 0x1d9153
Privileges PrivilegeList %10 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Distribution Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Audit Category:
Account Management

Audit Subcategory:
Distribution Group Management
Legacy Events:
651

LEFT/RIGHT arrow keys for navigation

Back to List