Member Added to Group

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

Group membership change can indicate a user adding themselves to an admin group without permissions. It is important to monitor the groups that have escalated permissions. This log is recommended by the NSA Cyber Event Forwarding Guidance.

Windows 10 Professional logs group membership changes by default. To view this log, navigate to the Event Viewer security tab. To view the group membership change logs, sort or filter by the IDs 4732. Event ID 4732 is a log of a user being added to a security group.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4732'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the command wevtutil qe Security "/q:*[System [(EventID=4732)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4732'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"security group management"
Disable Logging
auditpol /set /subcategory:"security group management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"security group management" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile