Event ID 4799

A security-enabled local group membership was enumerated 

A security-enabled local group membership was enumerated.

Subject:
    Security ID:    %4
    Account Name:   %5
    Account Domain: %6
    Logon ID:       %7

Group:
    Security ID:  %3
    Group Name:   %1
    Group Domain: %2

Process Information:
    Process ID:   %8
    Process Name: %9


This event generates when a process enumerates the members of a security-enabled local group on the computer or device.

This event doesn't generate when group members were enumerated using Active Directory Users and Computers snap-in.

Microsoft Documentation

Event ID - 4799



Name Field Insertion String OS Example
Group Name TargetUserName %1 Any Administrator
Group Domain TargetDomainName %2 Any Builtin
Security ID TargetSid %3 Any S-1-5-32-544
Security ID SubjectUserSid %4 Any S-1-5-21-1377283216-344919071-3415362939-1104
Account Name SubjectUserName %5 Any dadmin
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x72d9d
Process ID CallerProcessId %8 Any 0xc80
Process Name CallerProcessName %9 Any C:\Windows\System32\mmc.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Security Group Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Account Management

Audit Subcategory:
Security Group Management

LEFT/RIGHT arrow keys for navigation

Back to List