Windows Security Log Event ID 4787

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Account Management
 • Application Group Management
Type Success
Corresponding events
in Windows 2003
and before		 691  

4787: A non-member was added to a basic application group

On this page

Apparently this event is supposed to be logged when you add an exclusion to a basic application group but instead Windows logs 4785 with no indication that the member is an excluded member.

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Supercharger Enterprise


 

Examples of 4787

A non-member was added to a basic application group.

Subject:

   Security ID:  %6
   Account Name:  %7
   Account Domain:  %8
   Logon ID:  %9

Member:

   Security ID:  %2
   Account Name:  %1

Group:

   Security ID:  %5
   Account Name:  %3
   Account Domain:  %4

Additional Information:

   Privileges:  %10

A non-member is an account that is explicitly excluded from membership in a basic application group.  Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 4787
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources