ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer Security log displaying Event ID 4731 group membership audit events on a cybersecurity monitoring dashboard
Event ID 4731InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4731 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Member Added

Event ID 4731 fires when a member is added to a security-enabled local group on Windows systems. This security audit event tracks local group membership changes for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4731Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4731 represents a fundamental component of Windows security auditing, specifically designed to track additions to security-enabled local groups. When this event fires, it indicates that the local security database has been modified to include a new member in a group that has security implications for the system.

The event structure includes several key fields: the Security ID (SID) and account name of the member being added, the target group's name and SID, the subject who performed the action (including their logon ID and authentication details), and precise timestamp information. This granular detail enables administrators to reconstruct exactly what happened, when, and by whom.

Security-enabled local groups differ from distribution groups in that they can be assigned permissions and rights on the local system. When someone is added to groups like Administrators, Backup Operators, or Remote Desktop Users, they gain specific privileges that could impact system security. Event 4731 ensures these critical changes are logged and auditable.

The event fires regardless of the method used to add the member - whether through the Local Users and Groups MMC snap-in, net localgroup commands, PowerShell cmdlets, or programmatic API calls. This comprehensive coverage ensures that no group membership changes go unnoticed when proper auditing is enabled.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually adding a user to a local security group through Computer Management
  • PowerShell commands like Add-LocalGroupMember executing to modify group membership
  • Command-line tools such as net localgroup being used to add members
  • Automated scripts or Group Policy preferences modifying local group memberships
  • Software installations that add service accounts or users to specific local groups
  • Domain controllers replicating changes that affect local group memberships on member servers
  • Third-party management tools making programmatic changes to local security groups
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4731 entry to understand what change occurred.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log for Event ID 4731 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4731 in the Event IDs field and click OK
  5. Double-click on a 4731 event to view its details
  6. Review the General tab for key information:
    • Subject: Who performed the action
    • Member: Which account was added
    • Group: Target group name and SID
    • Privileges: Any special privileges used
  7. Check the Details tab for raw XML data if needed for deeper analysis
Pro tip: Look for patterns in timing and the subject performing multiple group additions, which could indicate automated processes or potential security concerns.
02

Query Events with PowerShell

Use PowerShell to programmatically analyze Event ID 4731 occurrences and extract relevant information.

  1. Open PowerShell as Administrator
  2. Query recent 4731 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4731} -MaxEvents 50
  3. Extract detailed information from the events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4731} -MaxEvents 20 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        MemberName = ($eventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        GroupName = ($eventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
        MemberSid = ($eventData | Where-Object {$_.Name -eq 'MemberSid'}).'#text'
    }
}
  4. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4731; StartTime=$StartTime; EndTime=$EndTime}
  5. Export results to CSV for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4731} -MaxEvents 100 | 
Select-Object TimeCreated, Id, LevelDisplayName, Message | 
Export-Csv -Path "C:\Temp\Event4731_Analysis.csv" -NoTypeInformation
03

Verify Current Group Memberships

Cross-reference the event data with current group memberships to understand the impact of the changes.

  1. List all local groups on the system:
    Get-LocalGroup
  2. Check membership of specific security groups mentioned in the events:
    Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember -Group "Remote Desktop Users"
Get-LocalGroupMember -Group "Backup Operators"
  3. For a comprehensive view of all group memberships:
    Get-LocalGroup | ForEach-Object {
    $groupName = $_.Name
    Write-Host "Group: $groupName" -ForegroundColor Green
    try {
        Get-LocalGroupMember -Group $groupName | Select-Object Name, ObjectClass, PrincipalSource
    } catch {
        Write-Host "  No members or access denied" -ForegroundColor Yellow
    }
    Write-Host ""
}
  4. Compare with domain group memberships if applicable:
    net user [username] /domain
  5. Use Computer Management for GUI verification:
    • Right-click This PCManage
    • Expand Local Users and GroupsGroups
    • Double-click groups mentioned in Event 4731 to verify current membership
Warning: Always verify that group memberships align with your organization's security policies, especially for privileged groups like Administrators.
04

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture all relevant group membership changes.

  1. Check current audit policy settings:
    auditpol /get /subcategory:"Security Group Management"
  2. Enable comprehensive auditing for security group management:
    auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
  3. Verify the policy is applied:
    auditpol /get /subcategory:"Security Group Management"
  4. Configure via Group Policy for domain environments:
    • Open Group Policy Management Console
    • Edit the appropriate GPO
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Expand Account Management
    • Configure Audit Security Group Management for both Success and Failure
  5. Check Security log size and retention settings:
    Get-WinEvent -ListLog Security | Select-Object LogName, MaximumSizeInBytes, RecordCount
  6. Increase log size if needed:
    wevtutil sl Security /ms:104857600
05

Implement Automated Monitoring and Alerting

Set up proactive monitoring to detect and alert on suspicious group membership changes.

  1. Create a PowerShell script for continuous monitoring:
    # Save as Monitor-GroupChanges.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4731
    StartTime=$LastCheck
} -ErrorAction SilentlyContinue

if ($Events) {
    foreach ($Event in $Events) {
        $xml = [xml]$Event.ToXml()
        $EventData = $xml.Event.EventData.Data
        $GroupName = ($EventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
        $MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        $SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        
        # Alert for critical groups
        if ($GroupName -in @('Administrators', 'Domain Admins', 'Enterprise Admins')) {
            Write-Host "ALERT: $MemberName added to $GroupName by $SubjectUserName" -ForegroundColor Red
            # Add email notification or SIEM integration here
        }
    }
}
  2. Schedule the script using Task Scheduler:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-GroupChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Principal = New-ScheduledTaskPrincipal -UserID "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "MonitorGroupChanges" -Action $Action -Trigger $Trigger -Principal $Principal
  3. Configure Windows Event Forwarding for centralized logging:
    • On collector server: wecutil qc
    • Create subscription: wecutil cs subscription.xml
    • Configure source computers to forward Security events
  4. Set up custom Event Viewer views:
    • In Event Viewer, right-click Custom ViewsCreate Custom View
    • Filter for Event ID 4731 with specific criteria
    • Save as "Critical Group Changes" for quick access
  5. Integrate with SIEM solutions by configuring log forwarding or using Windows Event Collector
Pro tip: Consider implementing just-in-time (JIT) access for administrative groups to reduce the frequency of Event 4731 occurrences and improve security posture.

Overview

Event ID 4731 is a security audit event that fires whenever a member is added to a security-enabled local group on a Windows system. This event is part of Windows' comprehensive security auditing framework and appears in the Security log when local group membership changes occur.

The event captures critical details including which user or group was added, the target group name, who performed the action, and when it occurred. This makes it invaluable for security monitoring, compliance auditing, and forensic investigations. The event fires for both interactive additions through tools like Computer Management and programmatic changes via PowerShell or other administrative tools.

Unlike domain-level group changes which generate different event IDs, 4731 specifically tracks local group modifications on individual machines. This includes built-in groups like Administrators, Power Users, and Remote Desktop Users, as well as custom local groups created by administrators. The event requires audit policy settings to be properly configured to capture these membership changes.

Frequently Asked Questions

What does Event ID 4731 mean and why is it important?+
Event ID 4731 indicates that a member has been added to a security-enabled local group on a Windows system. This event is crucial for security monitoring because it tracks changes to group memberships that can grant users elevated privileges or access to sensitive resources. When someone is added to groups like Administrators, Backup Operators, or Remote Desktop Users, they gain specific rights that could impact system security. The event provides detailed information about who was added, to which group, by whom, and when, making it essential for compliance auditing and forensic investigations.
How can I tell which user was added to which group from Event 4731?+
Event ID 4731 contains several key fields that identify the change: the 'Member' field shows the account that was added (including both the account name and SID), the 'Group' field displays the target group name and its SID, and the 'Subject' field identifies who performed the action. You can view these details in Event Viewer by double-clicking the event, or extract them programmatically using PowerShell with Get-WinEvent and XML parsing. The event also includes the member's domain or computer name, making it easy to distinguish between local and domain accounts.
Why am I not seeing Event ID 4731 in my Security log?+
Event ID 4731 requires specific audit policy settings to be enabled. You need to configure 'Audit Security Group Management' under the Account Management category in your audit policy. Use the command 'auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable' to enable it. Additionally, ensure your Security log has sufficient size and retention settings, as these events can be numerous in active environments. If you're in a domain environment, check that the appropriate Group Policy settings are configured and applied to your systems.
Can Event ID 4731 help detect unauthorized privilege escalation?+
Yes, Event ID 4731 is excellent for detecting unauthorized privilege escalation attempts. By monitoring additions to critical groups like Administrators, Power Users, or custom privileged groups, you can identify when users gain elevated access. Look for patterns such as additions outside normal business hours, multiple rapid additions by the same subject, or additions to highly privileged groups by non-administrative accounts. Automated monitoring scripts can alert on these suspicious activities in real-time. Cross-reference the 'Subject' field with your change management processes to verify if the group additions were authorized.
How long are Event ID 4731 records retained in the Security log?+
Event ID 4731 retention depends on your Security log configuration. By default, Windows Security logs are typically set to 20MB with an 'Overwrite events as needed' policy, meaning older events are deleted when the log fills up. In active environments, this could be days or weeks. You can check current settings with 'Get-WinEvent -ListLog Security' and modify retention using 'wevtutil sl Security /ms:[size_in_bytes]' or through Event Viewer properties. For compliance requirements, consider implementing Windows Event Forwarding to centralize logs or configure longer retention periods and larger log sizes.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4731 and related group management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for security group management monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4731#security-auditing#group-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...