Windows Events — Event ID Reference & Troubleshooting

Windows Event ID 4735 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Changed

Event ID 4735 fires when a security-enabled local group is modified on Windows systems. This security audit event tracks changes to local group membership, properties, or permissions for compliance and security monitoring.

Windows Event ID 4734 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Member Removed

Event ID 4734 fires when a member is removed from a security-enabled local group. This security audit event tracks group membership changes for compliance and security monitoring purposes.

Windows Event ID 4732 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Local Group

Event ID 4732 fires when a user or computer account is added to a security-enabled local group. This security audit event helps administrators track group membership changes for compliance and security monitoring.

Windows Event ID 4731 – Microsoft-Windows-Security-Auditing: Security-Enabled Local Group Member Added

Event ID 4731 fires when a member is added to a security-enabled local group on Windows systems. This security audit event tracks local group membership changes for compliance and security monitoring.

Windows Event ID 4730 – Microsoft-Windows-Security-Auditing: Security-Enabled Universal Group Deleted

Event ID 4730 logs when a security-enabled universal group is deleted from Active Directory. This audit event tracks group management changes for security compliance and forensic analysis.

Windows Event ID 4729 – Microsoft-Windows-Security-Auditing: A Member was Removed from a Security-Enabled Global Group

Event ID 4729 logs when a user or computer account is removed from a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Windows Event ID 4728 – Microsoft-Windows-Security-Auditing: A Member Was Added to a Security-Enabled Global Group

Event ID 4728 fires when a user or computer account is added to a security-enabled global group in Active Directory. This audit event tracks group membership changes for security monitoring and compliance.

Windows Event ID 4727 – Microsoft-Windows-Security-Auditing: Security-Enabled Global Group Created

Event ID 4727 fires when a security-enabled global group is created in Active Directory. This audit event tracks group creation activities for security monitoring and compliance purposes.

Windows Event ID 4733 – Microsoft-Windows-Security-Auditing: Security Group Member Removed

Event ID 4733 logs when a user or computer account is removed from a security group in Active Directory, providing critical audit information for access control changes.

Windows Event ID 4726 – Microsoft-Windows-Security-Auditing: User Account Deleted

Event ID 4726 fires when a user account is deleted from Active Directory or local system. Critical security event for tracking account lifecycle and potential unauthorized deletions.

Windows Event ID 4725 – Microsoft-Windows-Security-Auditing: User Account Disabled

Event ID 4725 fires when a user account is disabled in Active Directory or on a local Windows system, providing audit trail for account management activities.

Windows Event ID 4724 – Microsoft-Windows-Security-Auditing: User Account Password Reset by Administrator

Event ID 4724 logs when an administrator resets another user's password in Active Directory or local accounts, providing critical security audit trail for password management activities.

Windows Event ID 4722 – Microsoft-Windows-Security-Auditing: User Account Enabled

Event ID 4722 fires when a user account is enabled in Active Directory or local SAM database. Critical for security auditing and tracking account state changes.

Windows Event ID 4720 – Microsoft-Windows-Security-Auditing: User Account Created

Event ID 4720 logs when a new user account is created on Windows systems. This security audit event tracks account creation activities for compliance and security monitoring purposes.

Windows Event ID 4719 – Microsoft-Windows-Security-Auditing: System Audit Policy Changed

Event ID 4719 fires when Windows audit policy settings are modified, indicating changes to security auditing configuration that affect what events get logged.

Windows Event ID 4672 – Security: Special Privileges Assigned to New Logon

Event ID 4672 fires when Windows assigns special privileges to a new user logon session, indicating elevated access rights have been granted to an account.

Windows Event ID 4670 – Security: Object Permissions Changed

Event ID 4670 logs when permissions are modified on securable objects like files, folders, or registry keys. Critical for security auditing and compliance monitoring.

Windows Event ID 4663 – Security: An Attempt Was Made to Access an Object

Event ID 4663 logs when a process attempts to access a file, folder, registry key, or other securable object. This security audit event tracks object access attempts for compliance and forensic analysis.

Windows Event ID 4662 – Security: Object Access Auditing

Event ID 4662 logs when an operation is performed on an object with configured auditing. This security event tracks access attempts to files, folders, registry keys, and Active Directory objects.

Windows Event ID 4660 – Microsoft-Windows-Security-Auditing: Object Deleted

Event ID 4660 logs when an object is deleted from Active Directory or the local security database, providing audit trail for security-sensitive deletions including user accounts, groups, and organizational units.

Windows Event ID 4658 – Microsoft-Windows-Security-Auditing: Handle to an Object was Closed

Event ID 4658 logs when a handle to a system object is closed, providing audit trail for object access tracking in Windows security monitoring.