ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Active Directory security audit logs for group membership monitoring
Event ID 4756InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4756 – Microsoft-Windows-Security-Auditing: Universal Security Group Member Added

Event ID 4756 fires when a member is added to a universal security group in Active Directory. This security audit event tracks group membership changes for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4756Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4756 is generated by the Windows Security Auditing subsystem when Active Directory processes a request to add a member to a universal security group. Universal groups can contain members from any domain in the forest and can be granted permissions to resources in any domain, making their membership changes particularly significant from a security perspective.

The event contains several key fields including the target group's distinguished name and SID, the added member's SID and account name, and the subject who performed the action. The event also includes the logon ID and authentication package used, providing a complete audit trail for forensic analysis.

This event only fires when audit policy for Account Management is enabled on domain controllers. The event appears in real-time as group changes occur and is replicated across all domain controllers in the domain. Security teams use this event to detect unauthorized additions to sensitive groups, track administrative actions, and maintain compliance with regulatory requirements that mandate group membership auditing.

The event is particularly valuable for monitoring Enterprise Admins, Schema Admins, and custom universal groups that have been granted sensitive permissions across the forest. Automated monitoring systems often trigger alerts when members are added to these high-privilege groups outside of approved change windows.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually adding a user or computer to a universal security group through Active Directory Users and Computers
  • PowerShell scripts using Add-ADGroupMember cmdlet to modify universal group membership
  • Automated provisioning systems adding accounts to universal groups during user onboarding
  • Group Policy Preferences or startup scripts modifying group memberships
  • Third-party identity management tools synchronizing group memberships
  • Exchange Server adding accounts to universal distribution groups converted to security groups
  • Application service accounts being added to universal groups for cross-domain access
  • Nested group additions where a global group is added to a universal group
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what group was modified and by whom.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4756 using the filter option
  4. Double-click the event to view details
  5. Review the Subject section to identify who made the change
  6. Check the Group section for the target universal group details
  7. Examine the Member section to see what account was added
  8. Note the timestamp and correlate with any approved change requests

Key fields to examine:

  • Subject Account Name: Who performed the action
  • Group Name: Which universal group was modified
  • Member Name: What account was added
  • Member SID: Security identifier of the added member
02

Query Events with PowerShell

Use PowerShell to query and analyze Event ID 4756 across multiple domain controllers.

  1. Open PowerShell as Administrator
  2. Query recent group membership additions:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4756} -MaxEvents 50 | Select-Object TimeCreated, @{Name='Subject';Expression={($_.Properties[1].Value)}}, @{Name='GroupName';Expression={($_.Properties[5].Value)}}, @{Name='MemberName';Expression={($_.Properties[8].Value)}}
  1. Filter for specific universal groups:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4756} | Where-Object {$_.Message -like '*Enterprise Admins*'} | Format-Table TimeCreated, Id, LevelDisplayName
  1. Query across multiple domain controllers:
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)"
    Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4756; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
}
  1. Export results for analysis:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4756; StartTime=(Get-Date).AddDays(-30)} | Export-Csv -Path "C:\Temp\GroupMembershipChanges.csv" -NoTypeInformation
03

Verify Group Membership and Permissions

Validate the current group membership and assess the security impact of the addition.

  1. Check current universal group membership:
Get-ADGroup -Identity "GroupName" -Properties Members | Select-Object -ExpandProperty Members | Get-ADObject
  1. Verify the added account details:
Get-ADUser -Identity "AddedUserName" -Properties MemberOf, LastLogonDate, PasswordLastSet | Select-Object Name, SamAccountName, MemberOf, LastLogonDate, PasswordLastSet
  1. Check group permissions across the forest:
$Group = Get-ADGroup -Identity "GroupName"
Get-ADObject -Filter {nTSecurityDescriptor -like "*$($Group.SID)*"} -Properties nTSecurityDescriptor
  1. Review nested group memberships:
Get-ADPrincipalGroupMembership -Identity "AddedUserName" | Where-Object {$_.GroupScope -eq "Universal"}
  1. Validate against approved access lists:
  • Compare current membership with documented authorized users
  • Check if the addition follows change management procedures
  • Verify business justification for the group membership
Warning: Universal groups with Enterprise Admin or Schema Admin privileges require immediate validation of any membership changes.
04

Investigate Unauthorized Changes

Perform detailed forensic analysis when suspicious group membership changes are detected.

  1. Correlate with logon events for the subject account:
$SubjectSID = "S-1-5-21-..."
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like "*$SubjectSID*"}
  1. Check for related security events:
$TimeWindow = (Get-Date).AddMinutes(-30)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4728,4729,4732,4733,4756,4757; StartTime=$TimeWindow} | Sort-Object TimeCreated
  1. Review authentication logs on the source system:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} | Where-Object {$_.Properties[5].Value -eq "SubjectAccountName"}
  1. Examine process creation events if available:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*dsa.msc*" -or $_.Message -like "*powershell*"}
  1. Check for privilege escalation indicators:
  • Review if the subject account recently gained administrative privileges
  • Verify the account's normal access patterns and responsibilities
  • Check for concurrent suspicious activities from the same account
  • Validate the source IP address and authentication method used
  1. Document findings and take corrective action:
  • Remove unauthorized group membership if confirmed malicious
  • Reset compromised account passwords
  • Implement additional monitoring for the affected groups
  • Update security policies to prevent similar incidents
05

Implement Automated Monitoring and Alerting

Set up proactive monitoring to detect and respond to universal group membership changes in real-time.

  1. Create a PowerShell monitoring script:
# Monitor-UniversalGroupChanges.ps1
$SensitiveGroups = @("Enterprise Admins", "Schema Admins", "Domain Admins")
$LastCheck = (Get-Date).AddMinutes(-5)

foreach ($Group in $SensitiveGroups) {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4756; StartTime=$LastCheck} | Where-Object {$_.Message -like "*$Group*"}
    if ($Events) {
        Send-MailMessage -To "security@company.com" -Subject "ALERT: $Group membership changed" -Body $Events.Message -SmtpServer "mail.company.com"
    }
}
  1. Configure Windows Event Forwarding (WEF):
  • Set up a central log collector for all domain controllers
  • Configure subscription to forward Event ID 4756
  • Create custom views for universal group changes
  1. Implement SIEM integration:
# Export events in JSON format for SIEM ingestion
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4756} -MaxEvents 100 | ConvertTo-Json | Out-File "C:\Logs\GroupChanges.json"
  1. Set up scheduled task for monitoring:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-UniversalGroupChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
Register-ScheduledTask -TaskName "MonitorUniversalGroups" -Action $Action -Trigger $Trigger -RunLevel Highest
  1. Create custom Event Viewer views:
  • Open Event Viewer and create a custom view
  • Filter for Event ID 4756 from Security log
  • Save the view as "Universal Group Changes"
  • Configure email notifications through Task Scheduler
Pro tip: Use Group Policy to enable advanced audit policies across all domain controllers to ensure consistent Event ID 4756 logging.

Overview

Event ID 4756 is a security audit event that fires whenever a member is added to a universal security group in Active Directory. This event appears in the Security log on domain controllers and provides detailed information about who added the member, which group was modified, and what account was added. Universal groups are used across domains in a forest, making this event critical for tracking cross-domain security changes.

The event fires immediately when group membership changes occur through Active Directory Users and Computers, PowerShell cmdlets, or programmatic interfaces. It captures both user and computer accounts being added to universal security groups. This event is essential for security auditing, compliance reporting, and detecting unauthorized group modifications that could lead to privilege escalation.

Domain administrators rely on this event to monitor changes to high-privilege universal groups like Enterprise Admins or custom security groups with elevated permissions. The event provides the security identifier (SID) of both the group and the added member, along with the account that performed the action.

Frequently Asked Questions

What does Event ID 4756 mean and when does it occur?+
Event ID 4756 indicates that a member has been added to a universal security group in Active Directory. This event fires immediately when an administrator, script, or application adds a user, computer, or group to a universal security group. The event appears in the Security log on domain controllers and provides detailed audit information including who made the change, which group was modified, and what account was added. Universal groups are significant because they can contain members from any domain in the forest and can be granted permissions across domains.
How can I identify which specific universal group was modified in Event ID 4756?+
The universal group information is contained within the event details under the 'Group' section. You can find the group name in the 'Group Name' field and the group's distinguished name in the 'Group Domain' field. When viewing the event in Event Viewer, look for fields like 'Security ID' and 'Group Name' which will show the exact universal group that was modified. In PowerShell queries, you can extract this information using $_.Properties[5].Value to get the group name from the event properties array.
Why am I not seeing Event ID 4756 in my Security logs?+
Event ID 4756 requires specific audit policy settings to be enabled. You need to configure 'Audit Account Management' under Advanced Audit Policy Configuration on your domain controllers. This can be done through Group Policy at Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Security Group Management. Set this to 'Success' to log successful group membership additions. Additionally, ensure you're checking the Security log on domain controllers, not member servers, as this event only appears on DCs.
How can I differentiate between authorized and unauthorized universal group membership changes?+
To identify unauthorized changes, correlate Event ID 4756 with your change management processes and normal administrative patterns. Check the 'Subject' field to see who made the change and verify this against approved change requests. Look at the timestamp to see if changes occurred during normal business hours or maintenance windows. Review the source workstation and authentication method used. For high-privilege groups like Enterprise Admins, any unexpected additions should be investigated immediately. Implement baseline monitoring to understand normal group membership patterns and alert on deviations.
Can Event ID 4756 help detect privilege escalation attacks?+
Yes, Event ID 4756 is crucial for detecting privilege escalation attacks targeting universal groups. Attackers often add compromised accounts to high-privilege universal groups to gain forest-wide access. Monitor for additions to sensitive groups like Enterprise Admins, Schema Admins, or custom groups with elevated permissions. Look for patterns such as service accounts being added to administrative groups, additions occurring outside business hours, or multiple rapid group changes. Correlate these events with authentication logs (Event ID 4624) and process creation events (Event ID 4688) to build a complete attack timeline. Automated alerting on sensitive group changes enables rapid incident response.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4756 and related group management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies required for Event ID 4756 logging.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4756#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...