Share via


Active Directory: Event ID 4756-4757 When User Added or Removed From Security-Enabled Universal Group

Applies to: 

Windows Server 2008, 2008 R2 and 2012

Requirement: 

You would like to investigate who has added or removed a specific Domain User in Enterprise Admins group

Prerequisite: 

Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both **Success **and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)

When a User is Added to Security-Enabled UNIVERSALGroup, an event will be logged with Event ID: 4756

Event Details for Event ID: 4756

A member was added to a security-enabled universal group.

Subject:

  Security ID:  TESTLAB\Santosh

  Account Name:  Santosh

  Account Domain:  TESTLAB

  Logon ID:  0x50B79DA

Member:

  Security ID:  TESTLAB\Temp

  Account Name:  CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:

  Security ID:  TESTLAB\Enterprise Admins

  Account Name:  Enterprise Admins

  Account Domain:  TESTLAB

In this example,** TESTLAB\Santosh** has **added **user TESTLAB\Temp to Enterprise Admins group

When a User is** removed from Security-Enabled GLOBAL Group, an event will be logged with Event ID: 4757**

Event Details for Event ID: 4757

A member was removed from a security-enabled universal group.

Subject:

  Security ID:  TESTLAB\Santosh

  Account Name:  Santosh

  Account Domain:  TESTLAB

  Logon ID:  0x50B79DA

Member:

  Security ID:  TESTLAB\Temp

  Account Name:  CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

Group:

  Security ID:  TESTLAB\Enterprise Admins

  Group Name:  Enterprise Admins

  Group Domain:  TESTLAB

 In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from Enterprise Admins group.

See also: