Windows Event ID 4757 – Microsoft-Windows-Security-Auditing: Universal Security Group Member Removed

Open Event Viewer on the domain controller and navigate to Windows Logs → Security. Filter for Event ID 4757 to examine recent group membership removals.

# Filter Security log for Event ID 4757
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4757} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Examine the event details to identify:

• Subject: Who performed the removal (Account Name, Account Domain, Logon ID)
• Member: Which account was removed (Member Name, Member SID)
• Group: Target universal group (Group Name, Group Domain, Group SID)
• Additional Information: Privileges used for the operation

Cross-reference the Logon ID with Event ID 4624 (successful logon) to determine the source workstation and authentication method used by the administrator.

Universal group changes can occur on any domain controller in the forest. Query all DCs to build a complete timeline of group membership modifications.

# Get all domain controllers in the forest
$DCs = (Get-ADForest).Domains | ForEach-Object { Get-ADDomainController -Filter * -Server $_ }

# Query each DC for Event ID 4757
$Results = @()
foreach ($DC in $DCs) {
    try {
        $Events = Get-WinEvent -ComputerName $DC.HostName -FilterHashtable @{LogName='Security'; Id=4757; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
        $Results += $Events | Select-Object @{n='DomainController';e={$DC.HostName}}, TimeCreated, Id, Message
    }
    catch {
        Write-Warning "Cannot query $($DC.HostName): $($_.Exception.Message)"
    }
}

# Display results sorted by time
$Results | Sort-Object TimeCreated -Descending | Format-Table DomainController, TimeCreated, Message -Wrap

This approach ensures you capture all universal group membership removals across the entire Active Directory forest, which is crucial for security investigations.

Identify which administrative tools were used to remove group members by correlating Event ID 4757 with process creation events and authentication logs.

# Find related authentication events for the same Logon ID
$GroupEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4757} -MaxEvents 1
$LogonId = ($GroupEvent.Message | Select-String 'Logon ID:\s+(\S+)').Matches[0].Groups[1].Value

# Find the initial logon event
$LogonEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {
    $_.Message -match "Logon ID:\s+$LogonId"
} | Select-Object -First 1

Write-Host "Group Modification Details:" -ForegroundColor Green
Write-Host "Time: $($GroupEvent.TimeCreated)"
Write-Host "Logon ID: $LogonId"

if ($LogonEvent) {
    Write-Host "\nAuthentication Details:" -ForegroundColor Green
    Write-Host "Logon Time: $($LogonEvent.TimeCreated)"
    Write-Host "Source: $($LogonEvent.Message | Select-String 'Source Network Address:\s+(\S+)' | ForEach-Object {$_.Matches[0].Groups[1].Value})"
    Write-Host "Process: $($LogonEvent.Message | Select-String 'Process Name:\s+(.+)' | ForEach-Object {$_.Matches[0].Groups[1].Value})"
}

Check for concurrent Event ID 4688 (process creation) events to identify specific administrative tools like dsa.msc, powershell.exe, or third-party management applications.

Create a comprehensive audit report showing the timeline of universal group membership changes for specific groups or users.

# Function to analyze universal group membership changes
function Get-UniversalGroupAudit {
    param(
        [string]$GroupName,
        [string]$MemberName,
        [int]$Days = 30
    )
    
    $StartTime = (Get-Date).AddDays(-$Days)
    $Events = @()
    
    # Get both addition (4756) and removal (4757) events
    $EventIds = @(4756, 4757)
    
    foreach ($EventId in $EventIds) {
        $EventData = Get-WinEvent -FilterHashtable @{
            LogName = 'Security'
            Id = $EventId
            StartTime = $StartTime
        } -ErrorAction SilentlyContinue
        
        foreach ($Event in $EventData) {
            $Message = $Event.Message
            $GroupNameMatch = ($Message | Select-String 'Group Name:\s+(.+)').Matches[0].Groups[1].Value
            $MemberNameMatch = ($Message | Select-String 'Member Name:\s+(.+)').Matches[0].Groups[1].Value
            
            # Filter by group or member if specified
            if (($GroupName -and $GroupNameMatch -notlike "*$GroupName*") -or 
                ($MemberName -and $MemberNameMatch -notlike "*$MemberName*")) {
                continue
            }
            
            $Events += [PSCustomObject]@{
                Time = $Event.TimeCreated
                Action = if ($EventId -eq 4756) { "Added" } else { "Removed" }
                Group = $GroupNameMatch
                Member = $MemberNameMatch
                Subject = ($Message | Select-String 'Account Name:\s+(.+)').Matches[0].Groups[1].Value
                EventId = $EventId
            }
        }
    }
    
    return $Events | Sort-Object Time -Descending
}

# Usage examples
Get-UniversalGroupAudit -GroupName "Domain Admins" | Format-Table -AutoSize
Get-UniversalGroupAudit -MemberName "john.doe" | Format-Table -AutoSize

This script provides a comprehensive view of universal group membership changes, helping identify patterns and unauthorized modifications.

Set up proactive monitoring for critical universal group membership changes using Windows Event Forwarding and custom PowerShell monitoring scripts.

# Create a scheduled task to monitor critical universal groups
$TaskName = "Monitor-CriticalUniversalGroups"
$ScriptPath = "C:\Scripts\Monitor-UniversalGroups.ps1"

# Create the monitoring script
$MonitorScript = @'
$CriticalGroups = @("Domain Admins", "Enterprise Admins", "Schema Admins")
$Events = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=@(4756,4757); StartTime=(Get-Date).AddMinutes(-5)} -ErrorAction SilentlyContinue

foreach ($Event in $Events) {
    $GroupName = ($Event.Message | Select-String "Group Name:\s+(.+)").Matches[0].Groups[1].Value
    if ($CriticalGroups -contains $GroupName) {
        $Action = if ($Event.Id -eq 4756) { "ADDED TO" } else { "REMOVED FROM" }
        $Member = ($Event.Message | Select-String "Member Name:\s+(.+)").Matches[0].Groups[1].Value
        $Subject = ($Event.Message | Select-String "Account Name:\s+(.+)").Matches[0].Groups[1].Value
        
        $AlertMessage = "CRITICAL: $Member was $Action $GroupName by $Subject at $($Event.TimeCreated)"
        Write-EventLog -LogName Application -Source "UniversalGroupMonitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
        
        # Send email alert (configure SMTP settings)
        # Send-MailMessage -To "admin@company.com" -Subject "Critical Group Change" -Body $AlertMessage -SmtpServer "smtp.company.com"
    }
}
'@

# Save the script
$MonitorScript | Out-File -FilePath $ScriptPath -Encoding UTF8

# Create event source for custom alerts
New-EventLog -LogName Application -Source "UniversalGroupMonitor" -ErrorAction SilentlyContinue

# Create scheduled task to run every 5 minutes
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File $ScriptPath"
$Trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -At (Get-Date)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal -Description "Monitor critical universal group membership changes"