ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows domain controller displaying security audit logs and Active Directory group management interface
Event ID 4753InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4753 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Member Removed

Event ID 4753 logs when a member is removed from a security-enabled global group in Active Directory. This security audit event tracks group membership changes for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4753Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4753 is a security audit event generated by the Microsoft-Windows-Security-Auditing provider when a member is removed from a security-enabled global group in Active Directory. This event occurs exclusively on domain controllers and is logged to the Security event log as part of Windows advanced audit policy configuration.

The event contains detailed information about the group membership change, including the Security ID (SID) and account name of both the user performing the action and the user being removed from the group. It also records the target group's distinguished name, domain information, and precise timestamp of the modification.

This audit event is crucial for organizations implementing security monitoring, compliance frameworks like SOX or HIPAA, and forensic analysis capabilities. The event helps administrators track changes to security groups that may affect access permissions, identify unauthorized modifications to group memberships, and maintain comprehensive audit trails for regulatory requirements.

Event ID 4753 is generated through the Local Security Authority (LSA) subsystem when Active Directory processes group membership removal operations. The event fires regardless of whether the removal was performed through graphical tools, command-line utilities, or programmatic interfaces like LDAP or PowerShell Active Directory modules.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Domain Controllers
Analysis

Possible Causes

  • Administrator manually removing a user from a security-enabled global group through Active Directory Users and Computers
  • Automated scripts or PowerShell cmdlets executing Remove-ADGroupMember operations
  • Third-party identity management systems performing group membership synchronization
  • User account deletion processes that automatically remove the user from all group memberships
  • Group policy or logon scripts modifying group memberships programmatically
  • Exchange Server or other applications removing users from mail-enabled security groups
  • Security access reviews resulting in privilege reduction and group membership cleanup
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4753 to understand what group membership change occurred.

  1. Open Event Viewer on the domain controller where the event was logged
  2. Navigate to Windows LogsSecurity
  3. Filter the log for Event ID 4753 using Filter Current LogEvent IDs: 4753
  4. Double-click the event to view detailed information including:
    • Subject: Account that performed the removal
    • Member: Account that was removed from the group
    • Group: Target security group information
    • Additional Information: Privileges used for the operation
  5. Note the timestamp, source workstation, and logon ID for correlation with other events
Pro tip: Cross-reference the Logon ID with Event ID 4624 (successful logon) to identify the session that performed the group modification.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4753 across multiple domain controllers or time periods.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent 4753 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4753} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Search for specific group membership removals:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4753; StartTime=(Get-Date).AddDays(-7)}
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $Subject = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $Member = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'MemberName'} | Select-Object -ExpandProperty '#text'
    $Group = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Subject = $Subject
        RemovedMember = $Member
        FromGroup = $Group
    }
}
  4. Export results for analysis:
    $Results | Export-Csv -Path "C:\Temp\GroupMembershipRemovals.csv" -NoTypeInformation
03

Correlate with Related Security Events

Investigate Event ID 4753 in context with related security events to build a complete picture of the group membership change.

  1. Identify the logon session that performed the group modification:
    $Event4753 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4753} -MaxEvents 1
$EventXML = [xml]$Event4753.ToXml()
$LogonId = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'} | Select-Object -ExpandProperty '#text'
Write-Host "Logon ID: $LogonId"
  2. Find the corresponding logon event (4624) for the same session:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {
    $LogonXML = [xml]$_.ToXml()
    $SessionLogonId = $LogonXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetLogonId'} | Select-Object -ExpandProperty '#text'
    $SessionLogonId -eq $LogonId
} | Select-Object TimeCreated, @{Name='LogonType';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'LogonType'} | Select-Object -ExpandProperty '#text'}}, @{Name='WorkstationName';Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'} | Select-Object -ExpandProperty '#text'}}
  3. Check for other group modifications in the same timeframe:
    $TimeWindow = $Event4753.TimeCreated
$StartTime = $TimeWindow.AddMinutes(-5)
$EndTime = $TimeWindow.AddMinutes(5)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4729,4732,4733,4756,4757; StartTime=$StartTime; EndTime=$EndTime} | Format-Table TimeCreated, Id, @{Name='EventType';Expression={switch($_.Id){4728{'User added to global group'};4729{'User removed from global group'};4732{'User added to local group'};4733{'User removed from local group'};4756{'User added to universal group'};4757{'User removed from universal group'}}}}
Warning: Large Active Directory environments may generate thousands of group membership events. Use appropriate time filters and consider performance impact when querying events.
04

Investigate Unauthorized Group Changes

When Event ID 4753 indicates potential unauthorized group membership removal, perform detailed forensic analysis.

  1. Verify the legitimacy of the group membership change by checking recent change requests or tickets
  2. Examine the subject account that performed the removal:
    $Event4753 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4753} -MaxEvents 1
$EventXML = [xml]$Event4753.ToXml()
$SubjectAccount = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
$SubjectDomain = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
Get-ADUser -Identity $SubjectAccount -Server $SubjectDomain -Properties LastLogonDate, PasswordLastSet, MemberOf | Select-Object Name, LastLogonDate, PasswordLastSet, @{Name='Groups';Expression={$_.MemberOf -join '; '}}
  3. Check if the removed user still exists and review their current group memberships:
    $RemovedMember = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'MemberName'} | Select-Object -ExpandProperty '#text'
try {
    $User = Get-ADUser -Identity $RemovedMember -Properties MemberOf, LastLogonDate
    Write-Host "User still exists. Current groups: $($User.MemberOf -join '; ')"
    Write-Host "Last logon: $($User.LastLogonDate)"
} catch {
    Write-Host "User account no longer exists or cannot be found"
}
  4. Audit the target group's current membership and recent changes:
    $TargetGroup = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
$Group = Get-ADGroup -Identity $TargetGroup -Properties Members, Description
Write-Host "Group: $($Group.Name)"
Write-Host "Description: $($Group.Description)"
Write-Host "Current member count: $($Group.Members.Count)"
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4753; StartTime=(Get-Date).AddDays(-30)} | Where-Object {
    $XML = [xml]$_.ToXml()
    $GroupName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    $GroupName -eq $TargetGroup
} | Select-Object TimeCreated, Id, @{Name='Action';Expression={if($_.Id -eq 4728){'Added'}else{'Removed'}}}
05

Configure Advanced Monitoring and Alerting

Set up proactive monitoring for Event ID 4753 to detect and respond to group membership changes in real-time.

  1. Create a custom Event Viewer view for group membership monitoring:
    • Open Event ViewerCustom ViewsCreate Custom View
    • Set Event level: Information
    • Set Event logs: Security
    • Set Event IDs: 4728,4729,4732,4733,4753,4756,4757
    • Save as "Group Membership Changes"
  2. Configure Windows Event Forwarding to centralize group change events:
    # On collector server
wecutil cs GroupMembershipSubscription.xml

# Sample subscription XML content:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>GroupMembershipChanges</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward group membership change events</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(EventID=4728 or EventID=4729 or EventID=4732 or EventID=4733 or EventID=4753 or EventID=4756 or EventID=4757)]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  3. Create PowerShell monitoring script for critical groups:
    # Monitor-CriticalGroups.ps1
$CriticalGroups = @('Domain Admins', 'Enterprise Admins', 'Schema Admins')
$LastCheck = (Get-Date).AddMinutes(-5)

foreach ($Group in $CriticalGroups) {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4753; StartTime=$LastCheck} | Where-Object {
        $XML = [xml]$_.ToXml()
        $TargetGroup = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        $TargetGroup -like "*$Group*"
    }
    
    if ($Events) {
        foreach ($Event in $Events) {
            $XML = [xml]$Event.ToXml()
            $Subject = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
            $Member = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'MemberName'} | Select-Object -ExpandProperty '#text'
            
            # Send alert (customize as needed)
            Write-Warning "CRITICAL: User $Member removed from $Group by $Subject at $($Event.TimeCreated)"
            # Add email notification, SIEM integration, etc.
        }
    }
}
  4. Schedule the monitoring script to run every 5 minutes using Task Scheduler
Pro tip: Integrate Event ID 4753 monitoring with your SIEM solution or Microsoft Sentinel for advanced threat detection and automated response capabilities.

Overview

Event ID 4753 fires when a member is removed from a security-enabled global group in Active Directory. This event is part of Windows security auditing and appears in the Security log on domain controllers when group membership changes occur. The event captures critical details including who performed the action, which user was removed, from which group, and when the change occurred.

This event is essential for security monitoring, compliance auditing, and forensic investigations. Organizations use 4753 events to track unauthorized group membership changes, monitor privileged access modifications, and maintain audit trails for regulatory compliance. The event fires immediately when group membership changes through any method - Active Directory Users and Computers, PowerShell cmdlets, or programmatic interfaces.

Domain administrators typically see this event when cleaning up user accounts, removing users from distribution lists, or adjusting security group memberships during access reviews. The event provides accountability and helps detect potential security incidents involving group membership manipulation.

Frequently Asked Questions

What does Event ID 4753 mean and when does it occur?+
Event ID 4753 indicates that a member was removed from a security-enabled global group in Active Directory. This event occurs whenever someone removes a user, computer, or other security principal from a global security group through any method - Active Directory Users and Computers, PowerShell cmdlets, or programmatic interfaces. The event is logged on domain controllers in the Security log and provides detailed information about who performed the removal, which account was removed, and from which group.
How can I identify who removed a user from a security group?+
Event ID 4753 contains detailed subject information that identifies who performed the group membership removal. In the event details, look for the 'Subject' section which includes the SubjectUserName, SubjectDomainName, and SubjectLogonId. You can correlate the SubjectLogonId with Event ID 4624 (successful logon) to determine the source workstation and logon method used. Use PowerShell to parse the event XML and extract this information: the Subject fields show the account that initiated the removal, while the Member fields show which account was removed from the group.
Why am I seeing Event ID 4753 for groups I didn't manually modify?+
Event ID 4753 can be generated by various automated processes beyond manual administrative actions. Common causes include user account deletion processes that automatically remove users from all groups, Exchange Server operations modifying mail-enabled security groups, third-party identity management systems performing synchronization, automated scripts or scheduled tasks managing group memberships, and Group Policy or logon scripts executing group modifications. Additionally, some applications and services may programmatically manage group memberships as part of their normal operations.
How do I monitor Event ID 4753 for security-sensitive groups?+
To monitor Event ID 4753 for critical groups like Domain Admins or Enterprise Admins, implement several monitoring strategies. Create custom Event Viewer views filtering for Event ID 4753 and other group membership events (4728, 4729, 4732, 4733, 4756, 4757). Use PowerShell scripts to query events and filter for specific high-privilege groups, then schedule these scripts to run regularly. Configure Windows Event Forwarding to centralize group change events to a collector server. For enterprise environments, integrate with SIEM solutions or Microsoft Sentinel to create automated alerts when membership changes occur in sensitive groups. Set up email notifications or other alerting mechanisms for immediate notification of critical group modifications.
What should I do if I find unauthorized Event ID 4753 entries?+
If you discover unauthorized Event ID 4753 entries indicating suspicious group membership removals, immediately begin incident response procedures. First, verify the legitimacy of the change by checking change management records and contacting the subject account owner. Examine the subject account for signs of compromise - check recent logon patterns, password changes, and current group memberships. Determine if the removed user account still exists and review their current access permissions. Correlate the event with other security events using the LogonId to understand the full context of the session. If the change appears malicious, consider temporarily disabling the subject account, restoring the removed user to appropriate groups if necessary, and escalating to your security team for further investigation. Document all findings and implement additional monitoring for the affected accounts and groups.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive documentation covering Windows security auditing events including Event ID 4753 and related group membership audit events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial guide to configuring advanced audit policies for tracking security group membership changes and other security events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4753#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...