Event ID 4786

A member was removed from a basic application group 

A member was removed from a basic application group.

Subject:
    Security ID:        %6
    Account Name:       %7
    Account Domain:     %8
    Logon ID:       %9

Member:
    Security ID:        %2
    Account Name:       %1

Group:
    Security ID:        %5
    Group Name:     %3
    Group Domain:       %4

Additional Information:
    Privileges:     %10


Auditing:     Conditional

It's recommended to audit this event when utilizing the Windows Authorization Manager.


Windows Authorization Manager (aka AzMan).

AzMan is considered deprecated as of Windows Server 2012 R2 and may be removed from future versions of Windows.



Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Application Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Domain Controller Audit Success
Audit Category:
Account Management

Audit Subcategory:
Application Group Management
Legacy Events:
690

LEFT/RIGHT arrow keys for navigation

Back to List