Windows Security Log Event ID 4785
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Account Management
• Application Group Management |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
689
|
4785: A member was added to a basic application group
On this page
The user in Subject: added Member: to the application group identified in Group:.
Application groups are part of Windows's role based access control for applications and are maintained in the Authorization Manager MMC snap-in.
This event does not report the common name (cn) of the group you are accustomed to seeing in Authorization Manager where application groups are maintained. This is really bad because the account name reported in this event isn't displayed anywhere in Authorization Manager. To find out the common name of the group look for the Directory Service Changes events immediately following this event which do report the common name.
Server 2016 adds the "Expiration time" field in version 2 of this event.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Member:
The member added to the group can be an AD Security Group, AD user or another application group defined in Authorization Manager. If the Security ID resembles ACME\$P21000-17E6DO409ITB the member is an application group.
- Security ID: The SID if the member is an AD Security group or user account; other wise if the ID is in the format of ACME\$P21000-17E6DO409ITB the member is another application group
- Account Name: the distinguished name of the member
Group:
- Security ID: The SID of the affected group
- Group Name: Name of affected group
- Group Domain: Domain of affected group
Attributes:
- SAM Account Name: Pre-win2k name of affected group
- SID History: used when migrating legacy NT domains or merging domains. Normally "-"
Additional Information:
- Privileges: always "-"
- Expiration time: (2016 and later)
Supercharger Enterprise
Load Balancing for Windows Event Collection
2016 and later
A member was added to a basic application group.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Member:
Security ID: ACME\bob
Account Name: CN=Kate Austen,OU=Hydra Station,DC=acme,DC=com
Group:
Security ID: ACME\$K21000-R2HC42Q10MLQ
Group Name: $K21000-R2HC42Q10MLQ
Group Domain: ACME
Additional Information:
Privileges: -
Expiration time: -
2012r2
A member was added to a basic application group.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x30999
Member:
Security ID: ACME\bob
Account Name: CN=Kate Austen,OU=Hydra Station,DC=acme,DC=com
Group:
Security ID: ACME\$K21000-R2HC42Q10MLQ
Group Name: $K21000-R2HC42Q10MLQ
Group Domain: ACME
Additional Information:
Privileges: -
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection