This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 26%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Hey all,
• New AWS instance running Windows Server 2022 Datacenter (21H2)
Ran into a problem on a new server (AWS instance), running Windows Server 2022, where when I login (via Remote Desktop) as a user (Administrator, or otherwise), the login process is taking >3 minutes. It would seemingly get stuck at a blue screen, with just a power-button and the Accessibility button in the lower right corner.
At first, the session was just aborting... after about 45s it would close the RDP session. But a co-worker figured out if you just clicked the power button to bring up the menu, it would maintain the connection until the process was complete.
Once in, was able to see in the Event Viewer a whole bunch of 4798 'User Account Management' events, which is '...local group membership was enumerated'. There are 1500+ local OS user accounts on this machine. This machine is not part of a Domain, not part of Azure, not linked to an AD system - nothing like that. These are new accounts that I just created, via a Powershell script. Each of these users is only a member of 1 Group - one of 4 new local Groups that I created for these special authentication users.
So... why is it doing this? Every time somebody logs in it is going through this process. We have an older WS 2016 machine that we are migrating here - the old machine doesn't do this.
I'm OK with it perhaps having to do it once - these are brand new accounts, sure, there might be some administration to be done with them. But not every-single-time-anybody logs in??!! :(
We have these user accounts because there is a DB Management solution that can (and does) use the local OS accounts to authenticate against. So these users aren't actually ever logging into this machine. But as the Admin I need to log into it periodically, and I will be using RDP. (But my co-workers and I are the only ones.)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello J_at_Adatasol,
Thank you for posting in Q&A forum.
Security Monitoring Recommendations
For 4798(S): A user's local group membership was enumerated.
Important
For this event, also see Appendix A: Security monitoring recommendations for many audit events.
Ref: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
That information didn't result in a solution, unfortunately. There are no configurations for auditing any of the various events.
The links provided were for Windows 10; maybe that doesn't matter, that code base could be the same as for Server 2022. But something that might be important.
The specific Event 4798 seemed to show up only under 1 Policy Auditing configuration: Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> Audit User Account Management. That specific sub-category is also 'Not Configured'.
The process that generated the event is 'LoginUI.exe', which makes sense. So there doesn't seem to be anything strange there. But I don't know WHY it generated the event, what setting or configuration is telling it to enumerate ALL of the Local User Accounts whenever a single user account logs in. It doesn't appear to be a one-time event, either - it is happening multiple times. If I logout and log back in it goes through the same process.
I do not want to audit these groups - I don't want to audit anything.
Bumping this thread... why does Windows enumerate the group for all users, whenever only 1 user logs in? It makes the login process take about 2 minutes.
Bump to the top.