Event ID: 4756

A member was added to a security-enabled universal group

A member was added to a security-enabled universal group.

Subject:
    Security ID:     %6
    Account Name:    %7
    Account Domain:  %8
    Logon ID:        %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Account Name:       %3
    Account Domain:     %4

Additional Information:
    Privileges:     %10

Event ID 4756 is the same as event ID 4732, but event ID 4756 is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. You may reference the event fields, XML, and recommendations here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732

Auditing: Always

Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.

Volume: Low

ISO 27001:2013 A.9.2.5

	Field	Insertion String	OS	Example
Account Name	MemberName	%1	Any	CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local
Security ID	MemberSid	%2	Any	DOMAIN\bSmith
Account Name	TargetUserName	%3	Any	Schema Admins
Account Domain	TargetDomainName	%4	Any	DOMAIN
Security ID	TargetSid	%5	Any	DOMAIN\Schema Admins
Security ID	SubjectUserSid	%6	Any	DOMAIN\TheAdmin
Account Name	SubjectUserName	%7	Any	TheAdmin
Account Domain	SubjectDomainName	%8	Any	DOMAIN
Logon ID	SubjectLogonId	%9	Any	0x3e6
Privileges	PrivilegeList	%10	Any	View Codes

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Security Group Management"

How to enable Windows Auditing

Recommended Audit Policy

Legacy Events:

660

LEFT/RIGHT arrow keys for navigation

Back to List

Event ID: 4756

Lookup Audit Policy Configuration Settings

Operating Systems:

Tags:

Audit Category:

Audit Subcategory:

Legacy Events: