Event ID 4756

A member was added to a security-enabled universal group 

A member was added to a security-enabled universal group.

Subject:
    Security ID:     %6
    Account Name:    %7
    Account Domain:  %8
    Logon ID:        %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Account Name:       %3
    Account Domain:     %4

Additional Information:
    Privileges:     %10


Event ID 4756 is the same as event ID 4732, but event ID 4756 is generated for a universal security group instead of a local security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. You may reference the event fields, XML, and recommendations here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732

Auditing:     Always

Since security groups may control access to sensitive data & settings, changes to security group memberships should always be audited.


Volume:     Low


ISO 27001:2013 A.9.2.5




Name Field Insertion String OS Example
Account Name MemberName %1 Any CN=Bob Smith,OU=Users,OU=MyBusiness,DC=Domain,DC=local
Security ID MemberSid %2 Any DOMAIN\bSmith
Account Name TargetUserName %3 Any Schema Admins
Account Domain TargetDomainName %4 Any DOMAIN
Security ID TargetSid %5 Any DOMAIN\Schema Admins
Security ID SubjectUserSid %6 Any DOMAIN\TheAdmin
Account Name SubjectUserName %7 Any TheAdmin
Account Domain SubjectDomainName %8 Any DOMAIN
Logon ID SubjectLogonId %9 Any 0x3e6
Privileges PrivilegeList %10 Any View Codes

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 R2 Windows 2012 R2 Windows 2016 Windows 2008 Windows 2019 Windows 2022

Tags:
Domain Controller ISO 27001:2013
Audit Category:
Account Management

Audit Subcategory:
Security Group Management
Legacy Events:
660

LEFT/RIGHT arrow keys for navigation

Back to List