ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs for Active Directory group management
Event ID 4754InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4754 – Microsoft-Windows-Security-Auditing: Security-Enabled Universal Group Member Added

Event ID 4754 fires when a member is added to a security-enabled universal group in Active Directory. This audit event tracks group membership changes for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4754Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4754 represents a critical security audit point in Active Directory environments. When this event fires, it indicates that someone with appropriate permissions has successfully added a new member to a security-enabled universal group. The event contains detailed forensic information including the security identifier (SID) of the subject who performed the action, the distinguished name of the target group, and the SID of the newly added member.

The event structure includes several key fields: the Subject section identifies who made the change (including Account Name, Account Domain, and Logon ID), the Group section specifies which universal group was modified (Group Name, Group Domain, and Group SID), and the Member section details what was added (Member Name, Member SID, and Member Type). Additional context includes the Process Information showing which process initiated the change and the Network Information indicating the source workstation.

This audit event is generated only when the appropriate audit policy is enabled through Group Policy or local security policy. By default, Windows Server 2019 and later versions include this in the advanced audit policy subcategory 'Audit Security Group Management' under Account Management. The event helps organizations maintain compliance with security frameworks like SOX, HIPAA, and PCI-DSS that require detailed access control auditing.

Understanding this event is crucial for detecting potential security incidents such as privilege escalation attempts, insider threats, or compromised administrative accounts being used to grant unauthorized access through group membership manipulation.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually adding a user or computer to a security-enabled universal group through Active Directory Users and Computers
  • PowerShell scripts or automated processes using Add-ADGroupMember cmdlet to modify universal group membership
  • Third-party identity management systems synchronizing group memberships with Active Directory
  • Exchange Server automatically adding mailbox-enabled objects to universal distribution groups that are also security-enabled
  • Group Policy Preferences configured to manage local group memberships that target universal groups
  • LDAP applications or custom tools performing group membership modifications through directory service APIs
  • Migration tools or directory synchronization services adding members during organizational changes
  • Service accounts being granted membership in universal groups for cross-domain resource access
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand what happened and who was involved.

  1. Open Event Viewer on the domain controller where the event occurred
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4754 using the filter option in the Actions pane
  4. Double-click the event to view detailed information including:
    • Subject: Account that performed the action
    • Group: Universal group that was modified
    • Member: Object that was added to the group
    • Process Information: Application that initiated the change
  5. Note the timestamp, source workstation, and logon session details for correlation with other events
  6. Check if the change was expected by comparing against change management records
Pro tip: Look for the Member SID in the event details - this uniquely identifies what was added even if the object name has changed.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze multiple Event ID 4754 occurrences and identify patterns or suspicious activity.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent group membership additions:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4754} -MaxEvents 50 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $xml.Event.EventData.Data[0].'#text'
        SubjectDomainName = $xml.Event.EventData.Data[1].'#text'
        GroupName = $xml.Event.EventData.Data[5].'#text'
        GroupDomain = $xml.Event.EventData.Data[6].'#text'
        MemberName = $xml.Event.EventData.Data[8].'#text'
        MemberSid = $xml.Event.EventData.Data[9].'#text'
    }
} | Format-Table -AutoSize
  3. Filter for specific groups of interest:
    $TargetGroups = @('Domain Admins', 'Enterprise Admins', 'Schema Admins')
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4754} -MaxEvents 100 | Where-Object {
    $xml = [xml]$_.ToXml()
    $groupName = $xml.Event.EventData.Data[5].'#text'
    $TargetGroups -contains $groupName
}
  4. Export results for further analysis or reporting:
    $Results | Export-Csv -Path "C:\Temp\GroupMembershipChanges.csv" -NoTypeInformation
03

Correlate with Related Security Events

Investigate related events to build a complete picture of the group membership change activity.

  1. Search for corresponding logon events around the same timeframe:
    $StartTime = (Get-Date).AddHours(-2)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624,4625,4648
    StartTime=$StartTime
    EndTime=$EndTime
} | Where-Object {$_.Message -like '*SubjectUserName*'}
  2. Check for Event ID 4728 (member added to security-enabled global group) and Event ID 4732 (member added to security-enabled local group) for comprehensive group change tracking
  3. Look for Event ID 4756 (member removed from security-enabled universal group) to see if this was part of a membership transfer
  4. Examine Event ID 4672 (special privileges assigned to new logon) to identify if administrative privileges were used
  5. Cross-reference with Event ID 5136 (directory service object modified) for additional Active Directory change context
  6. Use the Logon ID from Event 4754 to correlate with other activities in the same session:
    $LogonId = "0x3e7"  # Replace with actual Logon ID from Event 4754
Get-WinEvent -FilterHashtable @{LogName='Security'} | Where-Object {
    $_.Message -like "*$LogonId*"
} | Select-Object TimeCreated, Id, LevelDisplayName, Message
04

Verify Group Membership and Permissions Impact

Validate the current state of the group and assess the security implications of the membership addition.

  1. Check the current membership of the affected universal group:
    Get-ADGroupMember -Identity "GroupName" -Recursive | Select-Object Name, ObjectClass, SamAccountName, DistinguishedName
  2. Verify the permissions and rights assigned to the universal group:
    Get-ADGroup -Identity "GroupName" -Properties MemberOf | Select-Object -ExpandProperty MemberOf | ForEach-Object {
    Get-ADGroup -Identity $_ | Select-Object Name, GroupScope, GroupCategory
}
  3. Check if the group has any special privileges or is nested in privileged groups:
    $Group = Get-ADGroup -Identity "GroupName" -Properties MemberOf
$PrivilegedGroups = @('Domain Admins', 'Enterprise Admins', 'Schema Admins', 'Administrators')
$Group.MemberOf | ForEach-Object {
    $ParentGroup = Get-ADGroup -Identity $_
    if ($PrivilegedGroups -contains $ParentGroup.Name) {
        Write-Warning "Group $($Group.Name) is member of privileged group: $($ParentGroup.Name)"
    }
}
  4. Audit the newly added member's existing group memberships:
    Get-ADUser -Identity "NewMemberName" -Properties MemberOf | Select-Object -ExpandProperty MemberOf | ForEach-Object {
    Get-ADGroup -Identity $_ | Select-Object Name, GroupScope, GroupCategory
}
  5. Review any Group Policy Objects that might be affected by this membership change
Warning: Universal groups can significantly impact network traffic during replication. Monitor replication health after significant membership changes.
05

Implement Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on future universal group membership changes.

  1. Create a custom Windows Event Forwarding subscription to centralize Event ID 4754 from all domain controllers
  2. Configure a PowerShell script for real-time monitoring:
    # Save as Monitor-UniversalGroupChanges.ps1
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4754" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = "Universal Group Member Added: $($Event.Message)"
    Write-EventLog -LogName Application -Source "GroupMonitor" -EventId 1001 -Message $Message -EntryType Information
    # Add email notification or SIEM integration here
}
  3. Set up Windows Task Scheduler to run monitoring scripts at regular intervals
  4. Create custom Event Viewer views for security teams:
    • Filter: Event ID 4754, 4756 (member removed), 4728, 4732
    • Group by: Group Name or Subject User Name
    • Time range: Last 24 hours or 7 days
  5. Configure SIEM integration using Windows Event Forwarding or log shipping agents
  6. Implement automated response procedures for high-risk group changes:
    # Example automated response
if ($GroupName -in @('Domain Admins', 'Enterprise Admins')) {
    Send-MailMessage -To "security@company.com" -Subject "ALERT: Privileged Group Modified" -Body $AlertMessage
    # Optionally disable the account pending investigation
    # Disable-ADAccount -Identity $SubjectUserName
}

Overview

Event ID 4754 is a security audit event that fires whenever a member is added to a security-enabled universal group in Active Directory. This event appears in the Security log on domain controllers and provides detailed information about who added which member to what group, along with timestamps and authentication details.

Universal groups are Active Directory security groups that can contain users, computers, and other groups from any domain in the forest. When organizations enable advanced audit policies for group management, Windows generates this event to maintain an audit trail of group membership changes. The event captures the subject who performed the action, the target group that was modified, and the member that was added.

This event is particularly valuable for security teams monitoring privileged group changes, compliance auditors tracking access control modifications, and administrators investigating unauthorized group membership additions. The event fires on the domain controller that processed the group modification request, making it essential to collect logs from all DCs for complete visibility.

Frequently Asked Questions

What is the difference between Event ID 4754 and other group membership events?+
Event ID 4754 specifically tracks additions to security-enabled universal groups. Event ID 4728 covers global groups, Event ID 4732 covers local groups, and Event ID 4756 tracks removals from universal groups. Universal groups are unique because they can contain members from any domain in the forest and their membership is replicated to all global catalogs, making changes more impactful on network traffic and replication.
Why am I not seeing Event ID 4754 in my Security log?+
Event ID 4754 requires the 'Audit Security Group Management' policy to be enabled. Check Group Policy Management Console under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Security Group Management. Ensure it's set to 'Success' or 'Success and Failure'. Also verify that the group in question is actually a security-enabled universal group, not a distribution group or different group scope.
Can Event ID 4754 help detect privilege escalation attacks?+
Yes, Event ID 4754 is crucial for detecting privilege escalation attempts. Attackers often add compromised accounts to privileged universal groups to gain elevated access across domains. Monitor for unexpected additions to high-privilege groups, especially during off-hours or by accounts that don't normally manage group memberships. Correlate with logon events and look for patterns like rapid successive group additions or additions by recently compromised accounts.
How can I automate the analysis of Event ID 4754 across multiple domain controllers?+
Use Windows Event Forwarding to centralize logs from all domain controllers to a collector server. Create PowerShell scripts with Get-WinEvent cmdlets that query multiple computers using the -ComputerName parameter. Implement scheduled tasks or use tools like System Center Operations Manager or third-party SIEM solutions. For real-time monitoring, consider PowerShell workflows or background jobs that continuously monitor the event logs and trigger alerts based on predefined criteria.
What information should I document when investigating Event ID 4754?+
Document the complete event details including timestamp, subject account (who made the change), target group name and SID, added member name and SID, source workstation, and process information. Record the business justification for the change, whether it was authorized through change management, and any related events in the same timeframe. Include the current group membership before and after the change, any nested group relationships, and the potential security impact. This documentation is essential for compliance audits and incident response procedures.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4754 and related group management eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for security group management monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4754#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...