Event ID 4733 A member of a security-enabled local group has been added/removed

lddj90 36 Reputation points
2020-12-22T10:10:21.433+00:00

Hi

I use Graylog to watch over my network and filter certain activities.

One activity I see monthly is the event 4733:

"A member of a security-enabled local group has been added."
"A member of a security-enabled local group has been removed."

EVENT ID:


-EventData
MemberName -
MemberSid S-1-5-21-4562109680-2797544447-134166554670-xxxx
TargetUserName Administratoren
TargetDomainName Builtin
TargetSid S-1-5-32-544
SubjectUserSid S-1-5-18
SubjectUserName My-Computer-1$
SubjectDomainName MyDomain
SubjectLogonId 0x3e7
PrivilegeList


I read through google and understand what the TargetSID, SubjectUserSID etc. is. What I can't resolve is the MemberSID to a username, this is probably because the MemberSID belonged to a deleted local account. It doesn't belong to any service account.

We do have a deploy management tool (pdqdeploy), network monitoring (prtg) and network inventory scans (docusnap) which run on all clients in the domain. But the event is not triggered on all clients, only on random few and only once a month or so.

What changes trigger this event in Windows 10? Why is a user added and then removed from the built-in admin group, and which user?

Thanks!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,781 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. AliceYang-MSFT 2,081 Reputation points
    2020-12-23T09:42:14.487+00:00

    Hi,

    Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. For more information about SIDs, please see Security identifiers.

    I noticed that you are using Graylog. It’s recommended to check event viewer logs.

    • Open Event Viewer
    • Go to Windows Logs-->System
    • Click on Filter Current Log
    • Check all Event level options and replace <All EventIDs> with 4733.
    • Click on OK

    If you see same results like what you saw in Graylog, we could continue.

    Remember that there are some situations that Some SIDs do not resolve into friendly names. You can follow the link to check that whether the SID is a capability SID. If it’s a capability SID, you can let it go and it’s not a risk.

    But if it’s not a capability SID, you can use PsGetSid to resolve the SID to a user name. But this tool may doesn’t run on your PC because of compatibility issue. You can try find user name from a SID.

    As to the reason why this issue appears, sorry that we do not support root cause analysis. But you can call Global Customer Service for help or go to Support for business.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. lddj90 36 Reputation points
    2021-01-04T08:58:54.63+00:00

    Hi Alice

    Thanks for your answer and sorry for my late reply.

    I did check the event logs and filtered to 4733, they show the same results as Graylog. The Member SID doesn't match the entries in the registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'.

    So therefore iI figure it is not a capability SID. I tried getting the name from the SID, but no luck.

    Could it be possible that Lenovo is searching for Firmware updates and gets temporally rights to do so?

    Regards
    Raphael

    0 comments No comments

  3. AliceYang-MSFT 2,081 Reputation points
    2021-01-05T09:13:16.643+00:00

    Hi,

    I think it's not Lenovo. I believe that we all put customer's privacy first.

    This unknown SID might be a risk. Sorry that I haven't found a way to block the SID.

    But you can deny log on through RDS and from Network through GPO. IT department can deploy the group policy through the domain. After that, we can check whether this event happens again or not. If it disappears, we can say someone might log in remotely. If it still happens, I suppose that someone in the organization might do something unusual.

    Sorry again that I couldn't provide you a solution for this issue. You can call Global Customer Service or contact Microsoft Support for business for further help.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. lddj90 36 Reputation points
    2021-01-13T12:08:48.897+00:00

    HI

    I have blocked all log on through RDS and from Network. Still though the event happens.

    I was able to figure out the MemberSID. It belongs to a AD Group with certain members (like SW deploy User, AD Invetory Scan User ect.)

    I have checked and could it be that as scheduled task makes this event?

    Possible scheduled tasks:

    OnedriveStandaloneUpdateTask -> OneDriveStandaloneUpdater.exe
    AgentRuntimeActivation -> AgentActivationRuntimeStarter.exe

    What bothers me also, this happens not on all clients in the AD, if SW Update or Backup would trigger this, it would be on all clients. But just on certain ones randomly is strange.

    Thanks for your help.