This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 71%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hi
I use Graylog to watch over my network and filter certain activities.
One activity I see monthly is the event 4733:
"A member of a security-enabled local group has been added."
"A member of a security-enabled local group has been removed."
EVENT ID:
-EventData
MemberName -
MemberSid S-1-5-21-4562109680-2797544447-134166554670-xxxx
TargetUserName Administratoren
TargetDomainName Builtin
TargetSid S-1-5-32-544
SubjectUserSid S-1-5-18
SubjectUserName My-Computer-1$
SubjectDomainName MyDomain
SubjectLogonId 0x3e7
PrivilegeList
I read through google and understand what the TargetSID, SubjectUserSID etc. is. What I can't resolve is the MemberSID to a username, this is probably because the MemberSID belonged to a deleted local account. It doesn't belong to any service account.
We do have a deploy management tool (pdqdeploy), network monitoring (prtg) and network inventory scans (docusnap) which run on all clients in the domain. But the event is not triggered on all clients, only on random few and only once a month or so.
What changes trigger this event in Windows 10? Why is a user added and then removed from the built-in admin group, and which user?
Thanks!
Hi,
Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. For more information about SIDs, please see Security identifiers.
I noticed that you are using Graylog. It’s recommended to check event viewer logs.
If you see same results like what you saw in Graylog, we could continue.
Remember that there are some situations that Some SIDs do not resolve into friendly names. You can follow the link to check that whether the SID is a capability SID. If it’s a capability SID, you can let it go and it’s not a risk.
But if it’s not a capability SID, you can use PsGetSid to resolve the SID to a user name. But this tool may doesn’t run on your PC because of compatibility issue. You can try find user name from a SID.
As to the reason why this issue appears, sorry that we do not support root cause analysis. But you can call Global Customer Service for help or go to Support for business.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Alice
Thanks for your answer and sorry for my late reply.
I did check the event logs and filtered to 4733, they show the same results as Graylog. The Member SID doesn't match the entries in the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'.
So therefore iI figure it is not a capability SID. I tried getting the name from the SID, but no luck.
Could it be possible that Lenovo is searching for Firmware updates and gets temporally rights to do so?
Regards
Raphael
Hi,
I think it's not Lenovo. I believe that we all put customer's privacy first.
This unknown SID might be a risk. Sorry that I haven't found a way to block the SID.
But you can deny log on through RDS and from Network through GPO. IT department can deploy the group policy through the domain. After that, we can check whether this event happens again or not. If it disappears, we can say someone might log in remotely. If it still happens, I suppose that someone in the organization might do something unusual.
Sorry again that I couldn't provide you a solution for this issue. You can call Global Customer Service or contact Microsoft Support for business for further help.
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
----------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
HI
I have blocked all log on through RDS and from Network. Still though the event happens.
I was able to figure out the MemberSID. It belongs to a AD Group with certain members (like SW deploy User, AD Invetory Scan User ect.)
I have checked and could it be that as scheduled task makes this event?
Possible scheduled tasks:
OnedriveStandaloneUpdateTask -> OneDriveStandaloneUpdater.exe
AgentRuntimeActivation -> AgentActivationRuntimeStarter.exe
What bothers me also, this happens not on all clients in the AD, if SW Update or Backup would trigger this, it would be on all clients. But just on certain ones randomly is strange.
Thanks for your help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 13%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello @lddj90-4393
How did you find the AD group with that particular SID? I am experiencing a similar issue.
Thank you
HI, I was able to figure out the SID and the associated AD Group using our IT-inventarisation Tool (called Docusnap). It supports an AD Scan option, there are all SID listened and I got lucky and found the SID of the Member.
Have you tried to check all AD Group SIDs?