Event ID when a user is added or removed from security-enabled DOMAIN LOCAL group such as DnsAdmins group

Event ID when a user is added or removed from security-enabled DOMAIN LOCAL group such as DnsAdmins group

Applies to: Windows Server 2008, 2008 R2 and 2012

Requirement:  You would like to investigate who has added or removed a specific Domain User in DnsAdmins group

Prerequisite: Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both Success and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)



When a User is Added to Security-Enabled DOMAIN LOCAL Group, an event will be logged with Event ID: 4732



Event Details for Event ID: 4732

A member was added to a security-enabled local group.

 Subject:

                Security ID:                            TESTLAB\Santosh

                Account Name:                    Santosh

                Account Domain:                 TESTLAB

                Logon ID:                               0x50B79DA

 Member:

                Security ID:                            TESTLAB\Temp

                Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

 Group:

                Security ID:                            TESTLAB\DnsAdmins

                Group Name:                        DnsAdmins

                Group Domain:                     TESTLAB

In this example, TESTLAB\Santosh has added user TESTLAB\Temp to DnsAdmins group

When a User is removed from Security-Enabled  DOMAIN LOCAL Group, an event will be logged with Event ID: 4733



Event Details for Event ID:  4733

A member was removed from a security-enabled local group.

 Subject:

                Security ID:                            TESTLAB\Santosh

                Account Name:                    Santosh

                Account Domain:                 TESTLAB

                Logon ID:                               0x50B79DA

 Member:

                Security ID:                            TESTLAB\Temp

                Account Name:                    CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

 Group:

                Security ID:                            TESTLAB\DnsAdmins

                Group Name:                        DnsAdmins

                Group Domain:                     TESTLAB

In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from DnsAdmins group.



See also:


Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Maheshkumar S Tiwari edited Original. Comment: Added tags and minor formatting

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Maheshkumar S Tiwari edited Original. Comment: Added tags and minor formatting

Page 1 of 1 (1 items)