ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying Event ID 4764 group membership changes on a SOC monitoring dashboard
Event ID 4764InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4764 – Microsoft-Windows-Security-Auditing: Group Member Added

Event ID 4764 logs when a user account is added to a security-enabled group in Active Directory or local system, providing audit trail for group membership changes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4764Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4764 represents a fundamental security auditing mechanism within Windows that tracks additions to security-enabled groups. When Windows processes a request to add a user to a group, the Local Security Authority (LSA) subsystem generates this event before committing the membership change to the security database.

The event structure includes several key fields: the target group's Security Identifier (SID) and name, the member being added (including their SID), the subject who initiated the change, and contextual information like the logon session and process details. This comprehensive logging enables administrators to reconstruct the complete chain of events surrounding group membership modifications.

In Active Directory environments, this event fires on domain controllers when group membership changes affect domain groups. For local groups on member servers and workstations, the event appears in the local Security log. The timing is critical - Windows logs the event synchronously with the membership change, ensuring the audit trail remains consistent with the actual security state.

The event integrates with Windows' broader security auditing framework, requiring the "Audit Security Group Management" policy to be enabled. Without proper audit policy configuration, these events won't generate, creating gaps in your security monitoring. Modern compliance frameworks like SOX, HIPAA, and PCI-DSS often mandate tracking of privileged group changes, making Event ID 4764 essential for regulatory compliance.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator adds user to security group via Active Directory Users and Computers console
  • PowerShell commands like Add-ADGroupMember or Add-LocalGroupMember execute successfully
  • Automated scripts or applications programmatically add users to groups via LDAP or Windows APIs
  • Group Policy processing adds users to local groups during computer startup or user logon
  • Third-party identity management systems synchronize group memberships with Active Directory
  • Service accounts or applications with appropriate permissions modify group membership programmatically
  • Bulk import operations using tools like csvde or ldifde add multiple users to groups simultaneously
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand what group membership change occurred and who initiated it.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4764 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4764 in the Event IDs field and click OK
  5. Double-click on a 4764 event to view detailed information including:
    • Subject: Who performed the action (account name and SID)
    • Member: Which user was added to the group
    • Group: Target group name and SID
    • Privileges: Security privileges used for the operation
  6. Note the timestamp and correlate with other administrative activities
  7. Check the Process Information section to identify which application or tool was used
Pro tip: The Subject field shows the account that made the change, while Member shows who was added. These can be different accounts in delegation scenarios.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze Event ID 4764 occurrences across your environment.

  1. Open PowerShell as Administrator
  2. Query recent group membership additions:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Message';Expression={$_.Message.Split('`n')[0..10] -join '`n'}}
  3. Filter events for specific groups (replace 'Domain Admins' with your target group):
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764} | Where-Object {$_.Message -like '*Domain Admins*'} | Select-Object TimeCreated, @{Name='Details';Expression={$_.Message}}
  4. Extract structured data from events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        MemberName = ($EventData | Where-Object {$_.Name -eq 'MemberName'}).'#text'
        GroupName = ($EventData | Where-Object {$_.Name -eq 'GroupName'}).'#text'
    }
}
  5. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764} -MaxEvents 1000 | Export-Csv -Path "C:\Temp\GroupMembershipChanges.csv" -NoTypeInformation
Warning: Large Security logs can impact performance. Use -MaxEvents parameter to limit results and avoid system slowdown.
03

Configure Advanced Audit Policies

Ensure proper audit policy configuration to capture all group membership changes consistently.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and locate Audit Security Group Management
  4. Configure the policy to Success and Failure for comprehensive logging
  5. Verify current audit settings via PowerShell:
    auditpol /get /category:"Account Management" /subcategory:"Security Group Management"
  6. Apply settings immediately using:
    gpupdate /force
  7. Test the configuration by adding a test user to a group and verifying Event ID 4764 appears
  8. For domain environments, configure this policy at the Domain Controllers OU level
  9. Monitor audit policy changes using Event ID 4719 to detect unauthorized modifications
Pro tip: Enable both Success and Failure auditing. Failed attempts (Event ID 4761) can indicate unauthorized access attempts or misconfigurations.
04

Implement Automated Monitoring and Alerting

Set up proactive monitoring to detect and respond to critical group membership changes in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Monitor-GroupChanges.ps1
$SensitiveGroups = @('Domain Admins', 'Enterprise Admins', 'Schema Admins', 'Administrators')
$LastCheck = (Get-Date).AddMinutes(-5)

while ($true) {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764; StartTime=$LastCheck} -ErrorAction SilentlyContinue
    
    foreach ($Event in $Events) {
        $XML = [xml]$Event.ToXml()
        $GroupName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'GroupName'}).'#text'
        
        if ($SensitiveGroups -contains $GroupName) {
            # Send alert - customize notification method
            Write-Host "ALERT: User added to $GroupName at $($Event.TimeCreated)" -ForegroundColor Red
            # Add email notification, SIEM integration, etc.
        }
    }
    
    $LastCheck = Get-Date
    Start-Sleep -Seconds 300  # Check every 5 minutes
}
  2. Configure Windows Task Scheduler to run the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-GroupChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "GroupMembershipMonitor" -Action $Action -Trigger $Trigger -Principal $Principal
  3. Set up Event Log subscriptions for centralized collection:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>GroupMembershipChanges</SubscriptionId>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4764]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  4. Configure SIEM integration using Windows Event Forwarding or direct log shipping
05

Forensic Analysis and Correlation

Perform detailed forensic analysis to investigate suspicious group membership changes and establish complete attack timelines.

  1. Collect related events for comprehensive analysis:
    # Collect all group management events
$StartTime = (Get-Date).AddDays(-7)
$GroupEvents = @(4728, 4729, 4732, 4733, 4756, 4757, 4764, 4765)

$AllEvents = foreach ($EventId in $GroupEvents) {
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$EventId; StartTime=$StartTime} -ErrorAction SilentlyContinue
}

$AllEvents | Sort-Object TimeCreated | Export-Csv -Path "C:\Temp\GroupManagementTimeline.csv" -NoTypeInformation
  2. Correlate with logon events to establish user context:
    # Find logon sessions related to group changes
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=$StartTime}
$GroupChangeEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764; StartTime=$StartTime}

foreach ($GroupEvent in $GroupChangeEvents) {
    $XML = [xml]$GroupEvent.ToXml()
    $LogonId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'}).'#text'
    
    $RelatedLogon = $LogonEvents | Where-Object {
        $LogonXML = [xml]$_.ToXml()
        ($LogonXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetLogonId'}).'#text' -eq $LogonId
    } | Select-Object -First 1
    
    if ($RelatedLogon) {
        Write-Host "Group change at $($GroupEvent.TimeCreated) linked to logon at $($RelatedLogon.TimeCreated)"
    }
}
  3. Analyze process execution context:
    # Extract process information from events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764} -MaxEvents 100 | ForEach-Object {
    $XML = [xml]$_.ToXml()
    $ProcessName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
    $ProcessId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'}).'#text'
    
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessName = $ProcessName
        ProcessId = $ProcessId
        GroupName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'GroupName'}).'#text'
    }
} | Group-Object ProcessName | Sort-Object Count -Descending
  4. Generate comprehensive forensic report:
    # Create detailed analysis report
$Report = @"
Group Membership Change Analysis Report
Generated: $(Get-Date)

Summary of Changes (Last 7 Days):
"@

$GroupStats = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4764; StartTime=(Get-Date).AddDays(-7)} | 
    Group-Object @{Expression={([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'GroupName'} | Select-Object -ExpandProperty '#text'}} | 
    Sort-Object Count -Descending

foreach ($Stat in $GroupStats) {
    $Report += "`n$($Stat.Name): $($Stat.Count) additions"
}

$Report | Out-File -FilePath "C:\Temp\GroupChangeAnalysis.txt"
Warning: Forensic analysis can generate large datasets. Ensure adequate disk space and consider performance impact on production systems.

Overview

Event ID 4764 fires whenever a user account gets added to a security-enabled group in your Windows environment. This event appears in the Security log and serves as a critical audit trail for tracking group membership modifications across both Active Directory domain controllers and local Windows systems.

The event captures essential details including the target group name, the user account being added, and the security principal performing the action. Windows generates this event immediately when group membership changes occur through any method - whether via Active Directory Users and Computers, PowerShell commands, or programmatic API calls.

This event plays a crucial role in security monitoring and compliance auditing. Organizations rely on Event ID 4764 to track privilege escalation attempts, monitor administrative group changes, and maintain detailed records of who gained access to what resources. The event works in conjunction with Event ID 4728 (member added to security-enabled global group) and Event ID 4732 (member added to security-enabled local group) to provide comprehensive group membership tracking.

Security teams typically configure SIEM systems to alert on this event when it involves sensitive groups like Domain Admins, Enterprise Admins, or custom privileged groups. The event provides the forensic evidence needed to investigate unauthorized access attempts and verify legitimate administrative actions.

Frequently Asked Questions

What does Event ID 4764 mean and when does it occur?+
Event ID 4764 indicates that a user account has been successfully added to a security-enabled group. This event fires immediately when group membership changes occur through any method - Active Directory Users and Computers, PowerShell commands, automated scripts, or programmatic API calls. The event provides a complete audit trail including who made the change, which user was added, and to which group. It's essential for security monitoring and compliance auditing, particularly when tracking changes to privileged groups like Domain Admins or custom administrative groups.
How do I distinguish between Event ID 4764 and similar group management events?+
Event ID 4764 specifically tracks additions to security-enabled groups, but Windows generates several related events for different group operations. Event ID 4728 logs additions to security-enabled global groups, Event ID 4732 covers security-enabled local groups, and Event ID 4756 handles security-enabled universal groups. Event ID 4765 logs when users are removed from groups. The key difference is that 4764 provides a general group addition event, while the others are specific to group scope (global, local, universal). Check the event details to see the specific group type and scope involved in each change.
Why am I not seeing Event ID 4764 in my Security log?+
Missing Event ID 4764 entries typically indicate that the required audit policy isn't enabled. You need to configure 'Audit Security Group Management' under Advanced Audit Policy Configuration. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Security Group Management and set it to Success (and optionally Failure). After enabling the policy, run 'gpupdate /force' to apply changes immediately. Also verify that the Security log isn't full and that log retention policies aren't automatically clearing events too quickly.
Can Event ID 4764 help detect unauthorized privilege escalation attempts?+
Absolutely. Event ID 4764 is crucial for detecting privilege escalation attacks where attackers add compromised accounts to high-privilege groups. Monitor this event for additions to sensitive groups like Domain Admins, Enterprise Admins, Schema Admins, and custom privileged groups. Set up automated alerts when these events occur outside normal business hours or from unexpected user accounts. Correlate with logon events (4624) to understand the full attack chain. Look for patterns like multiple rapid group additions, additions from service accounts that shouldn't have such permissions, or additions followed immediately by suspicious activities. The event's process information can also reveal if legitimate tools or potentially malicious processes performed the changes.
How can I automate monitoring of Event ID 4764 for compliance reporting?+
Create automated monitoring using PowerShell scripts that query Event ID 4764 regularly and generate compliance reports. Use Get-WinEvent with FilterHashtable to collect events, then parse the XML data to extract group names, user accounts, and timestamps. Set up scheduled tasks to run these scripts daily or weekly, depending on compliance requirements. Export results to CSV or JSON formats for integration with compliance management systems. For real-time monitoring, implement Windows Event Forwarding to centralize logs from multiple systems, or integrate with SIEM solutions that can automatically correlate group changes with other security events. Include both successful additions (4764) and failed attempts (4761) in your monitoring to get complete visibility into group management activities.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4764 and related group management eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including Security Group Management auditinghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4764#security-auditing#group-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...