ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with security audit logs in a professional SOC environment
Event ID 4733InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4733 – Microsoft-Windows-Security-Auditing: Security Group Member Removed

Event ID 4733 logs when a user or computer account is removed from a security group in Active Directory, providing critical audit information for access control changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 1
Event ID 4733Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4733 represents a critical security audit event that Windows generates when removing members from security groups. This event is part of the advanced audit policy framework introduced in Windows Server 2008 and enhanced through 2026 updates. The event provides comprehensive details about group membership changes, including timestamps, source accounts, target groups, and the specific members removed.

The event structure includes several key fields: the security identifier (SID) of the removed member, the group's distinguished name, the account that initiated the change, and the logon session details. Windows generates this event on domain controllers when domain security groups are modified, and on local systems when local security groups change. The event helps organizations maintain compliance with security frameworks like SOX, HIPAA, and PCI-DSS that require detailed access control auditing.

In enterprise environments, Event ID 4733 events can generate significant log volume, especially in environments with automated group management systems or frequent administrative changes. The event integrates with Windows Event Forwarding (WEF) and can be collected centrally using tools like System Center Operations Manager or third-party SIEM solutions. Understanding the context and frequency of these events helps administrators distinguish between legitimate administrative actions and potential security incidents requiring investigation.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually removing users from Active Directory security groups through ADUC or PowerShell
  • Automated scripts or group management tools removing expired or transferred users from groups
  • Group Policy processing removing computer accounts from security groups
  • Identity management systems like Microsoft Identity Manager performing automated group cleanup
  • Exchange Server removing users from distribution or security groups during mailbox operations
  • Third-party applications with Active Directory integration removing service accounts from groups
  • Bulk user management operations during organizational restructuring
  • Security incident response procedures removing compromised accounts from privileged groups
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4733 to understand what group membership change occurred.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4733 in the Event IDs field and click OK
  5. Double-click on a 4733 event to view detailed information
  6. Review the General tab for key details:
    • Subject: Account that performed the removal
    • Member: Account that was removed from the group
    • Group: Security group that was modified
    • Additional Information: Privileges used for the operation
  7. Check the Details tab for XML format with complete field information
  8. Note the timestamp to correlate with other security events if investigating an incident
Pro tip: Use the Details tab XML view to copy specific field values for further investigation or reporting.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4733 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent 4733 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Search for specific group modifications:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733}
$Events | Where-Object {$_.Message -like '*Domain Admins*'} | Select-Object TimeCreated, Message
  4. Extract structured data from event messages:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        GroupName = ($EventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
    }
}
  5. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733} | Export-Csv -Path "C:\Temp\GroupRemovals.csv" -NoTypeInformation
Warning: Large environments may generate thousands of 4733 events daily. Use date ranges and specific filters to avoid performance issues.
03

Correlate with Active Directory Changes

Cross-reference Event ID 4733 with other Active Directory events to build a complete picture of group membership changes.

  1. Enable Advanced Audit Policy if not already configured:
    auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
  2. Query related security events for comprehensive analysis:
    # Get group management events from the last 24 hours
$StartTime = (Get-Date).AddDays(-1)
$GroupEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4728,4729,4732,4733,4756,4757
    StartTime=$StartTime
} | Sort-Object TimeCreated
  3. Check for corresponding Event ID 4732 (member added) events:
    $AddEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732}
$RemoveEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733}
# Compare to identify accounts being moved between groups
  4. Examine Directory Service logs on domain controllers:
    • Navigate to Applications and Services LogsDirectory Service
    • Look for events related to group modifications
    • Check for replication events if changes occurred on multiple DCs
  5. Review the Security log on member servers for local group changes:
    Invoke-Command -ComputerName "Server01","Server02" -ScriptBlock {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4733} -MaxEvents 10
}
04

Implement Monitoring and Alerting

Set up proactive monitoring for Event ID 4733 to detect unauthorized group membership changes in real-time.

  1. Create a custom Windows Event Forwarding subscription:
    • On your collector server, open Event Viewer
    • Right-click Subscriptions and select Create Subscription
    • Configure source computers and add this XPath query:
      *[System[(EventID=4733)]]
  2. Set up PowerShell-based monitoring script:
    # Save as Monitor-GroupRemovals.ps1
$Action = {
    $Event = $Event.SourceEventArgs.NewEvent
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    $GroupName = ($EventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
    $MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
    
    if ($GroupName -like '*Admin*' -or $GroupName -like '*Privileged*') {
        Send-MailMessage -To "security@company.com" -From "monitoring@company.com" `
            -Subject "Critical Group Removal Alert" `
            -Body "User $MemberName removed from $GroupName at $(Get-Date)" `
            -SmtpServer "mail.company.com"
    }
}

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4733" -Action $Action
  3. Configure Windows Task Scheduler for regular auditing:
    • Create a scheduled task that runs the monitoring script
    • Set appropriate triggers based on your security requirements
    • Configure email notifications for critical group changes
  4. Integrate with SIEM solutions:
    • Configure log forwarding to your SIEM platform
    • Create correlation rules for suspicious group modification patterns
    • Set up dashboards to visualize group membership trends
Pro tip: Focus monitoring on privileged groups like Domain Admins, Enterprise Admins, and custom administrative groups for maximum security impact.
05

Advanced Forensic Analysis and Compliance Reporting

Perform comprehensive analysis of Event ID 4733 for security investigations and compliance reporting.

  1. Create detailed forensic queries for incident investigation:
    # Advanced analysis script
$StartDate = (Get-Date).AddDays(-30)
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4733
    StartTime=$StartDate
}

$Analysis = foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        Computer = $Event.MachineName
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        SubjectDomainName = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        MemberSid = ($EventData | Where-Object {$_.Name -eq 'MemberSid'}).'#text'
        GroupName = ($EventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
        GroupDomain = ($EventData | Where-Object {$_.Name -eq 'GroupDomain'}).'#text'
        PrivilegeList = ($EventData | Where-Object {$_.Name -eq 'PrivilegeList'}).'#text'
    }
}

# Generate compliance report
$Analysis | Export-Csv -Path "C:\Reports\GroupRemovalAudit_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  2. Analyze patterns for security anomalies:
    # Identify unusual activity patterns
$GroupedByUser = $Analysis | Group-Object SubjectUserName | Sort-Object Count -Descending
$GroupedByGroup = $Analysis | Group-Object GroupName | Sort-Object Count -Descending
$GroupedByTime = $Analysis | Group-Object {$_.TimeCreated.Hour} | Sort-Object Name

# Flag potential security concerns
$SuspiciousActivity = $Analysis | Where-Object {
    $_.GroupName -like '*Admin*' -and 
    $_.TimeCreated.Hour -lt 6 -or $_.TimeCreated.Hour -gt 22
}
  3. Cross-reference with user account changes:
    # Correlate with account management events
$AccountEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4720,4722,4725,4726,4738
    StartTime=$StartDate
}

# Find accounts removed from groups shortly after creation/modification
  4. Generate executive summary reports:
    • Create PowerBI dashboards showing group modification trends
    • Generate monthly compliance reports for audit teams
    • Implement automated reporting for SOX/HIPAA compliance
  5. Document findings and recommendations:
    • Maintain incident response documentation
    • Update security policies based on analysis results
    • Provide training recommendations for administrators
Warning: Forensic analysis may require significant system resources. Run comprehensive queries during maintenance windows to avoid impacting production systems.

Overview

Event ID 4733 fires whenever a member is removed from a security group in Active Directory or local security groups. This audit event is part of Windows' comprehensive security logging framework and appears in the Security log on domain controllers and member systems where group membership changes occur.

The event captures essential details including the group name, the removed member's identity, and the account that performed the removal. This makes it invaluable for security auditing, compliance reporting, and investigating unauthorized access changes. Domain administrators rely on this event to track privilege escalation attempts and ensure proper access control governance.

Unlike informational group changes, Event ID 4733 specifically tracks security group modifications that can impact system access and permissions. The event generates on the system where the group membership change occurs - typically domain controllers for domain groups or local systems for local groups. Understanding this event helps administrators maintain visibility into their security posture and detect potential insider threats or compromised accounts making unauthorized changes.

Frequently Asked Questions

What does Event ID 4733 mean and why is it important?+
Event ID 4733 indicates that a member has been removed from a security group in Windows. This event is crucial for security auditing because it tracks changes to access control permissions. When users or computers are removed from security groups, their access rights change, which can impact their ability to access resources, files, or perform administrative functions. Security teams monitor this event to ensure that access removals are authorized and to detect potential insider threats or compromised accounts making unauthorized changes to group memberships.
How can I distinguish between legitimate and suspicious Event ID 4733 occurrences?+
Legitimate Event ID 4733 events typically occur during business hours by known administrators, follow established change management processes, and correlate with documented personnel changes like transfers or terminations. Suspicious events might include: removals from privileged groups during off-hours, bulk removals by non-administrative accounts, removals immediately followed by re-additions (indicating potential privilege escalation attempts), or removals from critical security groups without corresponding change tickets. Always cross-reference the 'Subject' field with your list of authorized administrators and verify that group changes align with approved organizational changes.
Which Windows logs contain Event ID 4733 and how do I access them?+
Event ID 4733 appears in the Windows Security log on the system where the group membership change occurs. For domain security groups, check the Security log on domain controllers. For local security groups, check the Security log on the specific member server or workstation. Access these logs through Event Viewer (eventvwr.msc) by navigating to Windows Logs → Security. You can also query them remotely using PowerShell with Get-WinEvent cmdlets or collect them centrally using Windows Event Forwarding. The events require appropriate audit policies to be enabled, specifically 'Audit Security Group Management' under Advanced Audit Policy Configuration.
What information does Event ID 4733 provide for security investigations?+
Event ID 4733 provides comprehensive details for security investigations including: the exact timestamp of the group membership change, the account that performed the removal (Subject fields), the specific member that was removed (Member Name and SID), the target security group (Group Name and Domain), the computer where the change occurred, and the privileges used to perform the operation. This information allows investigators to build a timeline of access changes, identify the source of unauthorized modifications, correlate with other security events, and determine the potential impact of the group membership change on system security and compliance.
How should I configure monitoring and alerting for Event ID 4733 in an enterprise environment?+
Configure Event ID 4733 monitoring by first enabling the 'Audit Security Group Management' policy through Group Policy or local security policy. Set up Windows Event Forwarding to collect events centrally from all domain controllers and critical servers. Create filtered subscriptions focusing on privileged groups like Domain Admins, Enterprise Admins, and custom administrative groups. Implement real-time alerting for removals from these critical groups, especially during off-hours. Use PowerShell scripts or SIEM solutions to correlate 4733 events with other security events and establish baseline patterns. Configure automated reports for compliance teams and establish escalation procedures for suspicious group modification patterns. Consider implementing approval workflows for privileged group changes to prevent unauthorized removals.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4733 and related group management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for security group management monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4733#security-auditing#group-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...