Windows Security Log Event ID 4732

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Account Management
 • Security Group Management
Type Success
Corresponding events
in Windows 2003
and before
636  

4732: A member was added to a security-enabled local group

On this page

The user in Subject: added the user/group/computer in Member: to the Security Local group in Group:.

This event is logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups.  You can determine if the group is a domain or SAM group by comparing Group Domain: to the Computer: name.  If they match you have a SAM group, if they differ you have a domain group.

Active Directory

In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. A domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain.

Local SAM

All groups are security groups in the computer's SAM.  Local SAM groups can be granted access to objects on the local computer only but may have members from the local SAM and any trusted domain.
 

Server 2016 adds the "Expiration time" field in version 2 of this event. 

Free Security Log Resources by Randy

Description Fields in 4732

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Member:

  • Security ID:  The SID of the group's member
  • Account Name:  The distinguished name of the group's member
    (According to Microsoft Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.

Group:

  • Security ID:  The SID of the affected group
  • Group Name: Name of affected group
  • Group Domain:  Domain of affected group

Additional Information:

  • Privileges:  always "-"
  • Expiration time: (2016 and later)

 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4732

Windows 2016+

A member was added to a security-enabled local group.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Member:

   Security ID:  WIN-R9H529RIO4Y\bob
   Account Name:  -

Group:

   Security ID:  BUILTIN\Users
   Group Name:  Users
   Group Domain:  Builtin

Additional Information:

   Privileges:  -

   Expiration time:  -
 

Windows 2012r2

A member was added to a security-enabled local group.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Member:

   Security ID:  WIN-R9H529RIO4Y\bob
   Account Name:  -

Group:

   Security ID:  BUILTIN\Users
   Group Name:  Users
   Group Domain:  Builtin

Additional Information:

   Privileges:  -
 

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources