Windows Security Log Event ID 4787
4787: A non-member was added to a basic application group
On this page
Apparently this event is supposed to be logged when you add an exclusion to a basic application group but instead Windows logs 4785 with no indication that the member is an excluded member.
I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.
Free Security Log Resources by Randy
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
A non-member was added to a basic application group.
Subject:
Security ID: %6
Account Name: %7
Account Domain: %8
Logon ID: %9
Member:
Security ID: %2
Account Name: %1
Group:
Security ID: %5
Account Name: %3
Account Domain: %4
Additional Information:
Privileges: %10
A non-member is an account that is explicitly excluded from membership in a basic application group. Even if the account is specified as a member of the application group, either explicitly or through nested group membership, the account will not be treated as a group member if it is listed as a non-member.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection