Share via

Active Directory: Event ID 4732-4733 when user added or removed from security-enabled domain local group

  • Article

Applies to 

Windows Server 2008, 2008 R2 and 2012

Requirement 

You would like to investigate who has added or removed a specific Domain User in DnsAdmins group

Prerequisites 

Auditing has to be configured on Domain controllers, especially, “Audit account management” policy must be configured and you need to define both **Success **and Failure policy settings. To configure Auditing on Domain Controllers, you need to edit and update DDCP (Default Domain Controller Policy)

When a User is Added to Security-Enabled DOMAIN LOCAL Group, an event will be logged with Event ID: 4732

Event Details for Event ID: 4732

A member was added to a security-enabled local group.

 Subject:

  Security ID:  TESTLAB\Santosh

  Account Name:  Santosh

  Account Domain:  TESTLAB

  Logon ID:  0x50B79DA

 Member:

  Security ID:  TESTLAB\Temp

  Account Name:  CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

 Group:

  Security ID:  TESTLAB\DnsAdmins

  Group Name:  DnsAdmins

  Group Domain:  TESTLAB

In this example,** TESTLAB\Santosh** has **added **user TESTLAB\Temp to DnsAdmins group

When a User is** removed **from Security-Enabled  DOMAIN LOCAL Group, an event will be logged with Event ID: 4733

Event Details for Event ID:  4733

A member was removed from a security-enabled local group.

 Subject:

  Security ID:  TESTLAB\Santosh

  Account Name:  Santosh

  Account Domain:  TESTLAB

  Logon ID:  0x50B79DA

 Member:

  Security ID:  TESTLAB\Temp

  Account Name:  CN=Temp,CN=Users,DC=AD,DC=TESTLAB,DC=NET

 Group:

  Security ID:  TESTLAB\DnsAdmins

  Group Name:  DnsAdmins

  Group Domain:  TESTLAB

In this example, TESTLAB\Santosh has removed user TESTLAB\Temp from DnsAdmins group.

See also