ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Server Active Directory management console displaying security event logs and group management interface
Event ID 4737InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4737 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Changed

Event ID 4737 fires when a security-enabled global group is modified in Active Directory, tracking changes to group properties, membership, or attributes for security auditing purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4737Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4737 represents a critical component of Active Directory's security auditing infrastructure, specifically designed to track modifications to security-enabled global groups. When this event fires, it indicates that someone with appropriate permissions has altered a global group's properties through tools like Active Directory Users and Computers, PowerShell cmdlets, or programmatic interfaces.

The event captures comprehensive details including the group's distinguished name, SID, SAM account name, and the specific attributes that were modified. It also records the user account responsible for the change, including their domain, logon ID, and authentication details. This granular tracking enables administrators to maintain detailed audit trails for security and compliance purposes.

In Windows Server 2025 and modern Active Directory environments, this event integrates with advanced threat protection systems and can trigger automated responses when suspicious group modifications occur. The event data includes both the old and new values for changed attributes, making it possible to track exactly what was modified and potentially roll back unauthorized changes.

Organizations typically configure Group Policy to ensure this auditing is enabled across all domain controllers, as missing these events can create significant security blind spots. The event frequency depends on administrative activity levels, but even small organizations should expect to see these events regularly as part of normal Active Directory maintenance operations.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Analysis

Possible Causes

  • Administrator modifying group description or other properties through Active Directory Users and Computers
  • PowerShell scripts using Set-ADGroup cmdlet to update group attributes
  • Automated systems or service accounts updating group properties programmatically
  • Group Policy processing that modifies security group attributes
  • Third-party identity management tools making changes to Active Directory groups
  • Exchange Server or other applications updating group properties for mail-enabled groups
  • Directory synchronization tools modifying group attributes during sync operations
  • Administrative tools like ADSI Edit being used to directly modify group objects
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4737 to understand what was changed and by whom.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4737 using the filter option
  4. Double-click the event to view detailed information
  5. Review the following key fields:
    • Subject: Shows who made the change (Security ID, Account Name, Domain)
    • Group: Displays the modified group's SID, name, and domain
    • Changed Attributes: Lists specific attributes that were modified
    • Additional Information: Contains privilege information and process details

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4737} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
02

Correlate with Related Security Events

Investigate related events to build a complete picture of the administrative activity that triggered the group modification.

  1. Search for related logon events (4624) around the same timeframe to identify the session
  2. Look for Event ID 4728 (member added) or 4729 (member removed) if membership changes occurred
  3. Check for Event ID 4735 (security-enabled local group changed) if local groups were also modified

Use this PowerShell script to correlate events within a specific timeframe:

# Get Event 4737 and related events within 1 hour window
$StartTime = (Get-Date).AddHours(-1)
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4737,4728,4729,4624
    StartTime=$StartTime
} | Sort-Object TimeCreated

$Events | Select-Object TimeCreated, Id, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Account Name:'} | Select-Object -First 1) -replace '.*Account Name:\s*',''}}
  • Cross-reference the Logon ID from Event 4737 with logon events to trace the complete session
  • Review process information to identify which tool or application made the change
    • 03

    Analyze Group Changes Using PowerShell

    Use PowerShell to extract and analyze the specific changes made to the group, including before and after values.

    1. Extract detailed information from the event message:
    # Parse Event 4737 details
$Event4737 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4737} -MaxEvents 1
$EventXML = [xml]$Event4737.ToXml()

# Extract key information
$SubjectUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
$TargetUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
$TargetSid = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'} | Select-Object -ExpandProperty '#text'

Write-Host "Modified by: $SubjectUserName"
Write-Host "Group affected: $TargetUserName"
Write-Host "Group SID: $TargetSid"
    1. Compare current group properties with historical data:
    # Get current group properties
$GroupSID = "S-1-5-21-..."
$Group = Get-ADGroup -Identity $GroupSID -Properties *

# Display key properties that might have been changed
$Group | Select-Object Name, Description, GroupCategory, GroupScope, Created, Modified
    1. Create a monitoring script for ongoing group change tracking
    04

    Implement Advanced Monitoring and Alerting

    Set up proactive monitoring to detect and alert on suspicious group modifications in real-time.

    1. Create a scheduled task to monitor for Event ID 4737:
    # Create monitoring script
$ScriptBlock = {
    $LastHour = (Get-Date).AddHours(-1)
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4737
        StartTime=$LastHour
    } -ErrorAction SilentlyContinue
    
    if ($Events) {
        $Events | ForEach-Object {
            $EventXML = [xml]$_.ToXml()
            $Subject = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
            $Target = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
            
            Write-EventLog -LogName Application -Source "GroupMonitor" -EventId 1001 -Message "Group $Target modified by $Subject at $($_.TimeCreated)"
        }
    }
}

# Register scheduled task
Register-ScheduledTask -TaskName "MonitorGroupChanges" -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command $ScriptBlock")
    1. Configure Windows Event Forwarding to centralize group change events
    2. Set up custom event log queries in System Center Operations Manager or similar tools
    3. Implement automated response procedures for critical group modifications
    05

    Forensic Analysis and Compliance Reporting

    Perform comprehensive forensic analysis of group changes for security investigations and compliance reporting.

    1. Export Event ID 4737 data for detailed analysis:
    # Export events to CSV for analysis
$StartDate = (Get-Date).AddDays(-30)
$Events = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4737
    StartTime=$StartDate
}

$EventData = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        SubjectDomainName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetSid = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'} | Select-Object -ExpandProperty '#text'
        PrivilegeList = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'PrivilegeList'} | Select-Object -ExpandProperty '#text'
    }
}

$EventData | Export-Csv -Path "C:\Temp\GroupChanges_4737.csv" -NoTypeInformation
    1. Create compliance reports showing group modification patterns
    2. Analyze the data for unusual patterns or unauthorized changes
    3. Cross-reference with change management systems to verify authorized modifications
    4. Generate executive summaries for security and compliance teams
    Pro tip: Use the exported data with tools like Excel Power Query or Power BI to create visual dashboards showing group change trends and patterns over time.

    Overview

    Event ID 4737 is a security audit event that fires whenever a security-enabled global group undergoes modification in Active Directory. This event captures changes to group properties such as description, group type conversion, or attribute modifications—but not membership changes, which are tracked separately by Event ID 4728 (member added) and 4729 (member removed).

    This event appears in the Security log on domain controllers and is part of Windows' comprehensive Active Directory auditing framework. The event provides detailed information about what changed, who made the change, and when it occurred. In enterprise environments, this event is crucial for maintaining security compliance and tracking administrative actions.

    The event fires on the domain controller where the change was processed and replicates the audit information across the domain. System administrators rely on this event to monitor unauthorized group modifications, track administrative activities, and maintain audit trails for compliance requirements. The event includes the security identifier (SID) of both the modified group and the user account that initiated the change.

    Frequently Asked Questions

    What's the difference between Event ID 4737 and Event ID 4735?+
    Event ID 4737 tracks changes to security-enabled global groups, while Event ID 4735 tracks changes to security-enabled local groups. Global groups can contain users from the same domain and can be used across the forest, whereas local groups are typically used for resource access on specific computers or domains. Both events capture property changes but not membership modifications, which are tracked by separate event IDs (4728/4729 for global groups, 4732/4733 for local groups).
    Why am I seeing Event ID 4737 but no visible changes in Active Directory Users and Computers?+
    Event ID 4737 can fire for attribute changes that aren't visible in the standard ADUC interface. This includes modifications to extended attributes, security descriptors, or metadata updates. The event might also occur due to replication processes, automated scripts, or applications that modify group objects programmatically. Use tools like ADSI Edit or PowerShell's Get-ADGroup with the -Properties * parameter to see all attributes that might have been modified.
    How can I determine exactly which group attributes were changed in Event ID 4737?+
    The Event ID 4737 message includes a 'Changed Attributes' field that lists the specific attributes modified. However, this field uses LDAP attribute names rather than friendly names. Common attributes include 'description' (group description), 'groupType' (security vs distribution), and 'managedBy' (group manager). You can also enable more detailed auditing using Group Policy to capture before and after values for changed attributes, though this increases log volume significantly.
    Can Event ID 4737 help identify security breaches involving group modifications?+
    Yes, Event ID 4737 is crucial for detecting unauthorized group modifications that could indicate a security breach. Look for changes made by unexpected user accounts, modifications during unusual hours, or rapid successive changes to multiple groups. Correlate these events with logon events (4624) to identify the source of the changes. Pay special attention to modifications of high-privilege groups like Domain Admins or Enterprise Admins, and set up alerts for changes to these critical groups.
    How long should I retain Event ID 4737 logs for compliance purposes?+
    Retention requirements for Event ID 4737 logs depend on your organization's compliance framework. Most regulations require 1-7 years of retention for security audit logs. HIPAA typically requires 6 years, SOX requires 7 years, and PCI DSS requires at least 1 year with 3 months immediately available. Configure your Security log size appropriately and implement log forwarding to a central SIEM or log management system to meet these retention requirements while maintaining searchability and analysis capabilities.
    Documentation

    References (2)

    1
    Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Event ID 4737 and related group management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/auditing-security-events
    2
    Active Directory Security Auditing Best PracticesMicrosoft's official guidance on implementing security auditing for Active Directory environments.https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
    Emanuel DE ALMEIDA
    Written by

    Emanuel DE ALMEIDA

    Senior IT Journalist & Cloud Architect

    Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

    Tags
    #event-id-4737#active-directory#security-auditing

    Related Windows Events

    Windows security monitoring dashboard displaying audit events and privilege tracking logs
    Event 6276
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

    Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

    March 189 min
    Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
    Event 6274
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

    Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

    March 189 min
    Network Policy Server monitoring dashboard showing authentication events and security logs
    Event 6273
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

    Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

    March 189 min
    Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
    Event 6272
    Microsoft-Windows-Security-Auditing
    Windows EventInformation

    Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

    Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

    March 1812 min

    Discussion

    Share your thoughts and insights

    You must be logged in to comment.

    Log in
    Loading comments...