ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Active Directory management console showing group membership administration and security event monitoring
Event ID 4728InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4728 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Global Group

Event ID 4728 fires when a user or computer account is added to a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4728Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4728 represents a fundamental security audit mechanism in Windows Active Directory environments. When this event fires, it indicates that someone with appropriate permissions has successfully added a member to a security-enabled global group. The event provides comprehensive forensic information including the security identifier (SID) of both the added member and the target group, the logon session details of the account performing the action, and precise timestamps.

The event structure includes several key fields: Subject (who made the change), Member (the account being added), Group (the target group details), and Additional Information containing privilege and logon session data. The Subject section identifies the user account, domain, and logon ID responsible for the modification. The Member section shows the account name and SID being added to the group. The Group section provides the group name, domain, and SID being modified.

This audit event is particularly valuable for organizations implementing zero-trust security models or meeting compliance requirements like SOX, HIPAA, or PCI-DSS. Security information and event management (SIEM) systems frequently monitor Event ID 4728 to detect unusual group membership patterns, especially additions to high-privilege groups during off-hours or by unexpected accounts. The event also supports forensic investigations when determining the timeline of account privilege changes during security incidents.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Analysis

Possible Causes

  • Administrator manually adding users to security groups through Active Directory Users and Computers console
  • PowerShell scripts executing Add-ADGroupMember or similar cmdlets to modify group membership
  • Automated provisioning systems adding accounts to groups based on role assignments
  • Third-party identity management tools synchronizing group memberships from HR systems
  • Service accounts being granted group memberships during application installations
  • Bulk user import operations that include group assignment specifications
  • Group Policy Preferences configuring local group memberships on domain computers
  • LDAP applications programmatically modifying Active Directory group objects
  • Exchange Server automatically adding mailbox users to mail-enabled security groups
  • Privileged access management (PAM) solutions temporarily elevating user permissions
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand who made the change and which accounts were affected.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4728 using the filter option or search functionality
  4. Double-click the event to view detailed information including:
    • Subject: Account that performed the action
    • Member: Account that was added to the group
    • Group: Target security group details
    • Additional Information: Privileges used and logon session
  5. Note the timestamp, source computer, and correlation with other security events
  6. Cross-reference the Subject account with expected administrative activities
Pro tip: Look for the "Privileges" field in Additional Information to see which privileges were used to make the change, such as SeSecurityPrivilege or SeTakeOwnershipPrivilege.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze multiple Event ID 4728 occurrences and identify patterns or anomalies in group membership changes.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent group membership additions:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Subject';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*'} | Select-Object -First 3) -join ' '}}, @{Name='Group';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Group:*'} | Select-Object -First 2) -join ' '}} | Format-Table -AutoSize
  3. Filter for specific high-privilege groups:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728} | Where-Object {$_.Message -like '*Domain Admins*' -or $_.Message -like '*Enterprise Admins*' -or $_.Message -like '*Schema Admins*'} | Select-Object TimeCreated, Message
  4. Analyze events by specific user account:
    $TargetUser = "username"
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728} | Where-Object {$_.Message -like "*$TargetUser*"} | Select-Object TimeCreated, @{Name='Details';Expression={$_.Message}} | Format-List
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\GroupMembershipChanges.csv" -NoTypeInformation
Warning: Large Active Directory environments may generate thousands of these events daily. Use time filters and specific group targeting to avoid performance issues.
03

Correlate with Active Directory Group Changes

Cross-reference Event ID 4728 with actual Active Directory group membership to verify legitimate changes and detect potential issues.

  1. Identify the affected group from the event details
  2. Check current group membership using Active Directory PowerShell:
    Import-Module ActiveDirectory
$GroupName = "Domain Admins"  # Replace with actual group name
Get-ADGroupMember -Identity $GroupName | Select-Object Name, SamAccountName, ObjectClass, DistinguishedName
  3. Review group modification history:
    Get-ADGroup -Identity $GroupName -Properties whenChanged, whenCreated, managedBy | Select-Object Name, whenCreated, whenChanged, managedBy
  4. Check for recent group membership changes across multiple domain controllers:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4728; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, MachineName
}
  5. Validate the change was authorized by checking change management records or service desk tickets
  6. If unauthorized, immediately review the added account's current permissions and recent activities
Pro tip: Use Get-ADReplicationAttributeMetadata to see detailed replication information about when and where group membership changes originated.
04

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on suspicious group membership changes in real-time.

  1. Create a custom Event Viewer task for immediate notification:
    • In Event Viewer, right-click on the Event ID 4728 entry
    • Select Attach Task To This Event
    • Configure email alerts or script execution for high-privilege group changes
  2. Configure Windows Event Forwarding (WEF) to centralize events:
    # On collector server
wecutil qc
wecutil cs subscription.xml  # Create subscription file first
  3. Set up PowerShell-based monitoring script:
    # Save as MonitorGroupChanges.ps1
$HighPrivilegeGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")

Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.EventCode = 4728" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = $Event.Message
    
    foreach ($Group in $HighPrivilegeGroups) {
        if ($Message -like "*$Group*") {
            Send-MailMessage -To "security@company.com" -From "monitoring@company.com" -Subject "ALERT: High-Privilege Group Modified" -Body $Message -SmtpServer "mail.company.com"
            break
        }
    }
}
  4. Configure Group Policy to enable advanced audit policies:
    • Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management
    • Enable Audit Security Group Management for Success events
  5. Implement SIEM integration using Windows Event Log forwarding or agents
Warning: Ensure monitoring systems have appropriate permissions and network connectivity to all domain controllers for comprehensive coverage.
05

Forensic Investigation and Incident Response

Conduct thorough forensic analysis when Event ID 4728 indicates potential security incidents or unauthorized access.

  1. Preserve evidence by exporting relevant security logs:
    # Export security events around the incident timeframe
$StartTime = (Get-Date "2026-03-18 14:00:00")
$EndTime = (Get-Date "2026-03-18 16:00:00")
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime} | Export-Clixml -Path "C:\Forensics\SecurityEvents_$(Get-Date -Format 'yyyyMMdd_HHmmss').xml"
  2. Analyze the complete logon session of the subject account:
    # Find logon events for the subject account
$SubjectAccount = "DOMAIN\username"  # From Event ID 4728 details
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4634} | Where-Object {$_.Message -like "*$SubjectAccount*"} | Select-Object TimeCreated, Id, Message
  3. Check for privilege escalation events preceding the group modification:
    # Look for privilege use events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674} -MaxEvents 100 | Where-Object {$_.TimeCreated -ge $StartTime -and $_.TimeCreated -le $EndTime} | Format-Table TimeCreated, Id, Message -Wrap
  4. Examine related Active Directory changes:
    # Check for other AD modifications
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4754,4755,4756,4757,4758} | Where-Object {$_.TimeCreated -ge $StartTime.AddMinutes(-30) -and $_.TimeCreated -le $EndTime.AddMinutes(30)} | Sort-Object TimeCreated
  5. Document findings and create incident timeline:
    • Record all relevant event IDs, timestamps, and affected accounts
    • Identify the attack vector and potential impact scope
    • Determine if additional systems or accounts were compromised
    • Implement containment measures if unauthorized access is confirmed
  6. Review and update security policies based on investigation findings
Pro tip: Use PowerShell's Export-Clixml and Import-Clixml for preserving exact event object properties during forensic analysis, maintaining data integrity for legal proceedings.

Overview

Event ID 4728 is a security audit event that fires whenever a member is added to a security-enabled global group in Active Directory. This event is part of Windows advanced audit policy and only appears when object access auditing is enabled for group management activities.

The event captures critical details including who performed the action, which account was added, the target group name, and when the change occurred. Domain controllers generate this event in the Security log, making it essential for tracking privileged group modifications like Domain Admins, Enterprise Admins, or custom security groups.

Security teams rely on Event ID 4728 for compliance reporting, insider threat detection, and investigating unauthorized privilege escalation. The event fires immediately when group membership changes through Active Directory Users and Computers, PowerShell cmdlets, or programmatic LDAP operations. Understanding this event helps administrators maintain proper access controls and detect suspicious group modifications that could indicate compromise or policy violations.

Frequently Asked Questions

What does Event ID 4728 mean and why is it important?+
Event ID 4728 indicates that a member was successfully added to a security-enabled global group in Active Directory. This event is crucial for security monitoring because it tracks changes to group memberships, especially for high-privilege groups like Domain Admins or Enterprise Admins. Security teams use this event to detect unauthorized privilege escalation, ensure compliance with access control policies, and maintain audit trails for regulatory requirements. The event provides detailed information about who made the change, which account was added, and when the modification occurred.
How can I filter Event ID 4728 for only high-privilege group changes?+
You can filter Event ID 4728 for high-privilege groups using PowerShell with specific group name matching. Use this command: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728} | Where-Object {$_.Message -like '*Domain Admins*' -or $_.Message -like '*Enterprise Admins*' -or $_.Message -like '*Schema Admins*' -or $_.Message -like '*Administrators*'}. You can also create custom Event Viewer filters by right-clicking the Security log, selecting Filter Current Log, entering Event ID 4728, and using the XML tab to add message content filters. For automated monitoring, configure SIEM rules or PowerShell scripts that trigger alerts only when these specific high-privilege groups are modified.
Why am I not seeing Event ID 4728 in my Security log?+
Event ID 4728 only appears when advanced audit policies are properly configured. You need to enable 'Audit Security Group Management' under Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management. If using legacy audit policies, enable 'Audit account management' in Local Security Policy. The event only fires for security-enabled global groups, not distribution groups or local groups. Additionally, the account making the change must have appropriate permissions, and the event is only logged on domain controllers where the group modification occurs. Check that your Group Policy settings are applied correctly using gpresult /r and verify the audit policy is configured for Success events.
Can Event ID 4728 help detect compromised accounts or insider threats?+
Yes, Event ID 4728 is excellent for detecting both compromised accounts and insider threats. Look for unusual patterns such as group membership changes during off-hours, additions to high-privilege groups by unexpected accounts, or rapid successive group modifications. Correlate these events with logon events (4624/4625) to identify suspicious access patterns. Set up baseline monitoring to understand normal group membership change patterns in your environment, then alert on deviations. For insider threat detection, monitor for users adding themselves or colleagues to groups they shouldn't have access to, especially if the changes bypass normal change management processes. Combine Event ID 4728 analysis with other security events like 4672 (special privileges assigned) to build comprehensive threat detection capabilities.
How long should I retain Event ID 4728 logs for compliance and security purposes?+
Retention requirements for Event ID 4728 depend on your compliance framework and security policies. Most organizations retain these events for 1-2 years minimum, with many keeping them for 7 years to meet regulatory requirements like SOX, HIPAA, or PCI-DSS. For high-security environments or organizations with strict compliance needs, consider longer retention periods. Configure Windows Event Log settings to increase the Security log size (default is often too small) and enable log archiving. Use centralized log management solutions or SIEM systems to automatically archive and compress older events while maintaining searchability. For critical systems, implement redundant log storage and ensure logs are tamper-evident. Remember that some regulations require specific retention periods for privileged account activities, so consult your compliance team to determine appropriate retention policies for your organization.
Documentation

References (2)

1
Microsoft Learn - Audit Security Group ManagementOfficial Microsoft documentation covering the audit policy configuration for security group management events including Event ID 4728.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management
2
Microsoft Security Compliance ToolkitMicrosoft's official security baseline configurations including recommended audit policy settings for Active Directory environments.https://www.microsoft.com/en-us/download/details.aspx?id=55319
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4728#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...