ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Active Directory management console showing group membership configuration on a professional monitoring setup
Event ID 4752InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4752 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Disabled Global Group

Event ID 4752 fires when a user or computer account is added to a security-disabled global group in Active Directory, providing audit trail for group membership changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4752Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4752 represents a fundamental Active Directory auditing mechanism that tracks additions to security-disabled global groups. When this event fires, it indicates that someone has successfully added a user, computer, or group object to a global group that has its security features disabled.

The event generates on the domain controller that processes the group modification request. Windows creates this audit record regardless of whether the change was made through graphical tools like Active Directory Users and Computers, command-line utilities such as dsmod, or PowerShell Active Directory cmdlets. The event also fires when automated processes or applications modify group membership through LDAP operations.

Security-disabled global groups, also known as distribution groups, cannot be used in access control lists (ACLs) or security descriptors. They serve primarily as email distribution lists in messaging systems like Microsoft Exchange. However, these groups can be converted to security-enabled groups, making membership tracking crucial for security planning and compliance auditing.

The event record contains detailed information including the security identifier (SID) of both the added member and the target group, the distinguished name of the group, and the account that performed the modification. This granular detail enables administrators to create comprehensive audit trails and investigate unauthorized changes to group structures.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually adding users to distribution groups through Active Directory Users and Computers
  • PowerShell scripts executing Add-ADGroupMember cmdlets against security-disabled global groups
  • Exchange management tools automatically updating distribution list memberships
  • Third-party identity management systems synchronizing group memberships
  • LDAP applications programmatically modifying group member attributes
  • Bulk import operations using csvde or ldifde utilities
  • Group Policy Preferences configuring local group memberships that reference global groups
  • Migration tools transferring group structures between domains or forests
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Open Event Viewer and navigate to the Security log to examine the event details:

  1. Press Windows + R, type eventvwr.msc, and press Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4752 in the Event IDs field and click OK
  5. Double-click on an Event ID 4752 entry to view details
  6. Review the following key fields in the event description:
    • Subject: Account that made the change
    • Member: Account that was added to the group
    • Group: Target group name and domain
    • Additional Information: Privileges used for the operation

The event XML view provides structured data for automated processing and contains SID values for precise identification.

02

Query Events with PowerShell

Use PowerShell to query and analyze Event ID 4752 occurrences across multiple domain controllers:

# Query recent 4752 events from local Security log
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4752} -MaxEvents 50 | 
  Select-Object TimeCreated, Id, LevelDisplayName, Message

# Extract specific details from event messages
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4752} -MaxEvents 10 | 
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
      TimeCreated = $_.TimeCreated
      SubjectUserName = $xml.Event.EventData.Data[1].'#text'
      SubjectDomainName = $xml.Event.EventData.Data[2].'#text'
      MemberName = $xml.Event.EventData.Data[6].'#text'
      GroupName = $xml.Event.EventData.Data[8].'#text'
      GroupDomain = $xml.Event.EventData.Data[9].'#text'
    }
  }

# Query events from remote domain controller
Get-WinEvent -ComputerName 'DC01.contoso.com' -FilterHashtable @{LogName='Security'; Id=4752; StartTime=(Get-Date).AddDays(-7)}

This approach enables automated monitoring and reporting of group membership changes across your Active Directory infrastructure.

03

Configure Advanced Audit Policy

Ensure proper audit policy configuration to capture Event ID 4752 consistently:

  1. Open Group Policy Management Console and edit the Default Domain Controllers Policy
  2. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Audit PoliciesAccount Management
  4. Double-click Audit Distribution Group Management
  5. Check Configure the following audit events and select Success
  6. Click OK and run gpupdate /force on domain controllers

Verify the policy is applied correctly:

# Check current audit policy settings
auditpol /get /subcategory:"Distribution Group Management"

# Set audit policy via command line if needed
auditpol /set /subcategory:"Distribution Group Management" /success:enable

This ensures all distribution group membership changes generate audit events for compliance and security monitoring.

04

Investigate Group Membership Changes

Correlate Event ID 4752 with related events to build a complete picture of group modifications:

# Find all group-related events for a specific timeframe
$StartTime = (Get-Date).AddHours(-24)
$GroupEvents = Get-WinEvent -FilterHashtable @{
  LogName='Security'
  Id=4752,4753,4756,4757
  StartTime=$StartTime
} | Sort-Object TimeCreated

# Analyze patterns in group changes
$GroupEvents | Group-Object Id | Select-Object Name, Count

# Check for suspicious activity patterns
$GroupEvents | Where-Object {$_.Id -eq 4752} | 
  ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
      Time = $_.TimeCreated
      User = $xml.Event.EventData.Data[1].'#text'
      AddedMember = $xml.Event.EventData.Data[6].'#text'
      Group = $xml.Event.EventData.Data[8].'#text'
    }
  } | Group-Object User | Where-Object Count -gt 10

Cross-reference with Active Directory to verify current group membership:

# Verify current group membership
Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName, ObjectClass

# Check group properties
Get-ADGroup -Identity "GroupName" -Properties *
05

Implement Automated Monitoring and Alerting

Create automated monitoring solutions to track and alert on Event ID 4752 occurrences:

# PowerShell script for continuous monitoring
$Action = {
  $Event = $Event.SourceEventArgs.NewEvent
  $xml = [xml]$Event.ToXml()
  $GroupName = $xml.Event.EventData.Data[8].'#text'
  $AddedMember = $xml.Event.EventData.Data[6].'#text'
  $User = $xml.Event.EventData.Data[1].'#text'
  
  # Send alert for critical groups
  if ($GroupName -match "Executive|Finance|HR") {
    Send-MailMessage -To "security@company.com" -From "monitoring@company.com" `
      -Subject "Critical Group Change Alert" `
      -Body "User $AddedMember was added to $GroupName by $User at $(Get-Date)"
  }
}

# Register event watcher
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4752" -Action $Action

Configure Windows Event Forwarding for centralized collection:

  1. On collector server, run wecutil qc to configure Windows Event Collector
  2. Create subscription configuration file:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>GroupChanges</SubscriptionId>
  <Query>
    <![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[EventID=4752]]</Select></Query></QueryList>]]>
  </Query>
</Subscription>

Deploy the subscription: wecutil cs GroupChanges.xml

Overview

Event ID 4752 generates when a member is added to a security-disabled global group in Active Directory. This audit event fires on domain controllers when group membership changes occur, specifically for global groups that have security disabled (distribution groups). The event captures critical details including who made the change, which account was added, and the target group name.

This event is part of Windows Advanced Audit Policy configuration under Account Management auditing. Domain administrators typically monitor this event to track unauthorized group membership changes and maintain security compliance. The event fires immediately when the group modification occurs through Active Directory Users and Computers, PowerShell cmdlets, or programmatic LDAP operations.

Unlike security-enabled groups that control access permissions, security-disabled global groups are primarily used for email distribution lists in Exchange environments. However, tracking membership changes remains important for organizational security and compliance auditing requirements.

Frequently Asked Questions

What is the difference between Event ID 4752 and 4728?+
Event ID 4752 fires when members are added to security-disabled global groups (distribution groups), while Event ID 4728 occurs when members are added to security-enabled global groups. The key distinction is that security-disabled groups cannot be used in access control lists and are primarily used for email distribution, whereas security-enabled groups control access to resources. Both events have similar structure but serve different security auditing purposes.
Why am I not seeing Event ID 4752 in my Security log?+
Event ID 4752 requires the 'Audit Distribution Group Management' policy to be enabled under Advanced Audit Policy Configuration. Check your Group Policy settings under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. Ensure 'Success' auditing is enabled for Distribution Group Management. Also verify that you're looking at domain controller logs, as this event only generates on DCs that process the group modification.
Can Event ID 4752 indicate a security breach?+
While Event ID 4752 involves security-disabled groups that don't directly control resource access, it can indicate security concerns. Unauthorized additions to distribution groups might suggest compromised accounts or insider threats. More critically, distribution groups can be converted to security-enabled groups, so monitoring membership changes helps prevent privilege escalation attacks. Look for patterns like bulk additions, additions during off-hours, or modifications by unexpected user accounts.
How can I correlate Event ID 4752 with Exchange distribution list changes?+
Event ID 4752 in Active Directory correlates with Exchange distribution list modifications since Exchange uses AD distribution groups. Check Exchange Management Shell logs and Exchange admin audit logs alongside Event ID 4752. Use PowerShell to query both: Get-WinEvent for AD events and Get-AdminAuditLogConfig plus Search-AdminAuditLog for Exchange changes. The timestamps should align when distribution list membership changes occur through Exchange Management Console or PowerShell cmdlets like Add-DistributionGroupMember.
What information does Event ID 4752 provide for compliance auditing?+
Event ID 4752 provides comprehensive audit data including the exact timestamp of the change, the security identifier (SID) and name of the account that made the modification, the SID and name of the added member, the target group's distinguished name and SID, and the privileges used for the operation. This data satisfies most compliance requirements for tracking group membership changes, including SOX, HIPAA, and PCI-DSS auditing standards. The event also includes the workstation name and logon ID for complete traceability.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4752 and related group management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including Distribution Group Management auditing.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4752#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...