Event Details
Operating System->Microsoft Windows->Application logs->Quest->Active Roles 7 or higher->EventID 1528 - User removed self from group.
EventID 1528 - User removed self from group.
 Sample: 
Log Name:      ARAdminService
Source:        ARAdminSvc
Date:          11/22/2016 4:29:50 PM
Event ID:      1528
Task Category: SelfGroupMembershipChange
Level:         Information
Keywords:      Classic,Audit Success
User:          ITSS\igor.ilyin
Computer:      IIZHU1.itss.wm.zhu.cn.qsft
Description:
User removed self from group. 
Operation GUID: 4d76d91a-e23b-45fb-b01e-4401dd7825e1 
Group name: InTrust.Admins 
Parent container: itss.wm.zhu.cn.qsft/OOUU 
Group object GUID: 5396bcb6-84ba-47a4-b143-aba050497ee0 
User: CN=igor.ilyin,OU=OOUU,DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: ARAdminService
Filtering Field Equals to Value
Source ARAdminSvc
EventId 1528
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category AttestationReview
Whom InsertionString5
Operation GUID InsertionString1
Group name InsertionString2
Parent container InsertionString3
Group object GUID InsertionString4
User DN InsertionString5
Comments
You must be logged in to comment