ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Active Directory security audit logs on a professional monitoring setup
Event ID 4729InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4729 – Microsoft-Windows-Security-Auditing: A Member was Removed from a Security-Enabled Global Group

Event ID 4729 logs when a user or computer account is removed from a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4729Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4729 is generated by the Microsoft-Windows-Security-Auditing provider when Active Directory processes a request to remove a member from a security-enabled global group. This event occurs on domain controllers and is part of the advanced audit policy for account management.

The event contains comprehensive information about the group membership change, including the security identifier (SID) of the removed member, the target group name and domain, and the account that initiated the change. This level of detail makes it invaluable for security investigations and compliance reporting.

Global groups in Active Directory can contain users, computers, and other global groups from the same domain. When any of these objects are removed from a global group, Event ID 4729 is logged. The event helps administrators maintain visibility into group membership changes that could impact security boundaries and access control decisions.

This event is particularly critical in environments with strict compliance requirements, as it provides an audit trail for group membership changes. Security teams rely on this event to detect unauthorized modifications to privileged groups and to ensure that access removals are properly documented and authorized.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually removing a user from a global group using Active Directory Users and Computers
  • Automated scripts or PowerShell commands removing group members
  • Third-party identity management systems modifying group memberships
  • Group Policy processing that affects group memberships
  • Active Directory replication processing membership changes from other domain controllers
  • Exchange Server or other applications removing service accounts from groups
  • User account deletion that triggers automatic removal from all groups
  • Bulk user management operations performed through ADSI or LDAP
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what happened and who initiated the change.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4729 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: Account that performed the removal
    • Member: Account that was removed from the group
    • Group: Target group name and domain
    • Additional Information: Privileges used for the operation

Use this PowerShell command to quickly retrieve recent 4729 events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Query Events with PowerShell for Detailed Analysis

Use PowerShell to perform advanced filtering and analysis of group membership removal events.

  1. Query events for a specific group:
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} -MaxEvents 100
$Events | Where-Object {$_.Message -like '*GroupName*'} | Select-Object TimeCreated, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*'}}, @{Name='Group';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Group Name:*'})[0] -replace '.*Group Name:\s*'}}
  1. Search for events within a specific time range:
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Message -Wrap
  1. Export events to CSV for further analysis:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} -MaxEvents 500 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\Temp\GroupRemovals.csv" -NoTypeInformation
03

Correlate with Group Membership Changes

Investigate the current state of the group and verify the membership change was authorized.

  1. Check current group membership using PowerShell:
Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName, ObjectClass
  1. Review group modification history:
Get-ADGroup -Identity "GroupName" -Properties whenChanged, whenCreated, modifyTimeStamp | Select-Object Name, whenCreated, whenChanged, modifyTimeStamp
  1. Check for related events (4728 for additions, 4730 for deletions):
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4729,4730} -MaxEvents 50 | Where-Object {$_.Message -like '*GroupName*'} | Sort-Object TimeCreated
  1. Verify the user who performed the action has appropriate permissions:
Get-ADUser -Identity "AdminUsername" -Properties MemberOf | Select-Object Name, @{Name='Groups';Expression={$_.MemberOf -join '; '}}
04

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to track group membership changes and detect unauthorized modifications.

  1. Create a scheduled task to monitor critical group changes:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorGroupChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "09:00AM"
Register-ScheduledTask -TaskName "Monitor Group Changes" -Action $Action -Trigger $Trigger -User "SYSTEM"
  1. Create the monitoring script (C:\Scripts\MonitorGroupChanges.ps1):
# Monitor Group Changes Script
$Yesterday = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729; StartTime=$Yesterday}

if ($Events) {
    $Report = $Events | ForEach-Object {
        $Message = $_.Message
        $TimeCreated = $_.TimeCreated
        # Parse event details
        [PSCustomObject]@{
            Time = $TimeCreated
            Event = "Member Removed"
            Details = $Message
        }
    }
    $Report | Export-Csv -Path "C:\Logs\GroupChanges_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
}
  1. Configure Windows Event Forwarding for centralized logging:
winrm quickconfig
wecutil cs subscription.xml
Pro tip: Use System Center Operations Manager or Azure Sentinel for enterprise-scale monitoring of these events across multiple domain controllers.
05

Forensic Analysis and Compliance Reporting

Perform detailed forensic analysis for security incidents or compliance audits involving group membership changes.

  1. Generate a comprehensive audit report:
$StartDate = Read-Host "Enter start date (MM/DD/YYYY)"
$EndDate = Read-Host "Enter end date (MM/DD/YYYY)"
$Start = Get-Date $StartDate
$End = Get-Date $EndDate

$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729; StartTime=$Start; EndTime=$End}

$Report = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        SubjectDomainName = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        MemberSid = ($EventData | Where-Object {$_.Name -eq 'MemberSid'}).'#text'
        TargetUserName = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        TargetDomainName = ($EventData | Where-Object {$_.Name -eq 'TargetDomainName'}).'#text'
    }
}

$Report | Export-Csv -Path "C:\Audit\GroupRemovalAudit_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  1. Cross-reference with authentication logs:
$GroupEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} -MaxEvents 100
$AuthEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} -MaxEvents 1000

# Correlate events by user and time
$Correlation = foreach ($GroupEvent in $GroupEvents) {
    $EventTime = $GroupEvent.TimeCreated
    $TimeWindow = $EventTime.AddMinutes(-30)..$EventTime.AddMinutes(30)
    
    $RelatedAuth = $AuthEvents | Where-Object {$_.TimeCreated -ge $TimeWindow[0] -and $_.TimeCreated -le $TimeWindow[1]}
    
    [PSCustomObject]@{
        GroupChangeTime = $EventTime
        GroupEvent = $GroupEvent.Message
        RelatedAuthentications = $RelatedAuth.Count
    }
}
Warning: Ensure proper retention policies are in place for security logs, as these events are crucial for forensic investigations and may be required for compliance audits.

Overview

Event ID 4729 fires whenever a member is removed from a security-enabled global group in Active Directory. This event is part of Windows security auditing and appears in the Security log on domain controllers when group membership changes occur. The event captures critical details including who performed the removal, which account was removed, from which group, and when the action occurred.

This event is essential for security monitoring, compliance auditing, and investigating unauthorized access changes. It helps administrators track group membership modifications that could affect user permissions and system access. The event fires on the domain controller that processes the group membership change, making it crucial for centralized security logging.

Unlike local group changes, global group modifications are replicated across all domain controllers, making this event particularly important for enterprise environments. The event provides detailed attribution information, allowing administrators to trace group changes back to specific user accounts and timestamps.

Frequently Asked Questions

What does Event ID 4729 mean and why is it important?+
Event ID 4729 indicates that a member was removed from a security-enabled global group in Active Directory. This event is crucial for security monitoring because it tracks changes to group memberships that directly affect user permissions and access rights. It provides an audit trail showing who removed which account from what group and when, making it essential for compliance reporting and security investigations.
How can I determine who removed a user from a group using Event ID 4729?+
The event details contain a 'Subject' section that identifies the account that performed the removal. Look for the 'Account Name' and 'Account Domain' fields under the Subject section. You can also use PowerShell to parse this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} | ForEach-Object {$_.Message -split '\n' | Where-Object {$_ -like '*Subject:*' -or $_ -like '*Account Name:*'}}. This will show you exactly which administrator account initiated the group membership change.
Why am I seeing Event ID 4729 on multiple domain controllers?+
Event ID 4729 appears on the domain controller that processes the group membership change. However, you might see related replication events on other domain controllers as the change propagates through Active Directory replication. Each domain controller logs the event when it processes the change locally. To identify the originating domain controller, check the computer name in the event details or look for the earliest timestamp across your domain controllers.
Can Event ID 4729 help me track unauthorized group changes?+
Yes, Event ID 4729 is excellent for detecting unauthorized group modifications. Monitor these events for changes to sensitive groups like Domain Admins, Enterprise Admins, or custom privileged groups. Set up alerts for any 4729 events affecting critical groups, especially during off-hours. Cross-reference the 'Subject' account with your authorized administrator list. Use PowerShell to filter events: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4729} | Where-Object {$_.Message -like '*Domain Admins*' -or $_.Message -like '*Enterprise Admins*'}.
How long are Event ID 4729 records retained and how can I extend retention?+
By default, Security log retention depends on your Event Log settings, typically 20MB with overwrite as needed. For compliance and security monitoring, extend retention by increasing the maximum log size in Event Viewer properties or configure log forwarding to a central collector. Use PowerShell to check current settings: Get-WinEvent -ListLog Security | Select-Object LogName, MaximumSizeInBytes, LogMode. For long-term retention, implement Windows Event Forwarding (WEF) or export events to a SIEM solution. Consider archiving events older than 90 days to separate storage while maintaining immediate access to recent events.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4729 and related group management events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for account management and group membership tracking.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4729#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...