Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 632 - Security Enabled Global Group Member Added
EventID 632 - Security Enabled Global Group Member Added
Indicates that a member (user, computer or another group account) was successfully added to the security global group by "caller" user.

  • The Member Name field specifies the user who was added.
  • The Member ID field specifies the user's domain-qualified user name.
  • The Target Account Name and Target Domain fields specify the group to which the user was added.
  • The Target Account ID is the security identifier (SID) of the user or group that was added.
  • The Caller User Name field specifies the user who made the change.
  • The Caller Logon ID field specifies the logon ID of the user who made the change.
  • The Privileges field for this event is usually empty.

Find more information about EventID 632 on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       632
        Date:           10/26/2009
        Time:           07:39:56
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Security Enabled Global Group Member Added:
        Member Name:	-
        Member ID:	%{S-1-5-21-184992632-1607737289-1287950321-1178}
        Target Account Name:	Domain Users
        Target Domain:	RESEARCH
        Target Account ID:	%{S-1-5-21-184992632-1607737289-1287950321-513}
        Caller User Name:	Alebovsky
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x59DF36)
        Privileges:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category Account Management
Source Security
EventId 632
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Caller User Name Account initiating action InsertionString6 Alebovsky
Caller Domain Domain of the account initiating action InsertionString7 RESEARCH
Caller Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString8 (0x0,0x59DF36)
Member Name Distinguished name of the added group member InsertionString1 -
Member ID Name of the added group member in the following format: Domain\User Name InsertionString2 %{S-1-5-21-184992632-1607737289-1287950321-1178}
Target Account Name Name of the account on which the action is performed InsertionString3 Domain Users
Target Domain Domain name of the Target Account InsertionString4 RESEARCH
Target Account ID Target Account Name in the following format: Target Domain\Target Account Name InsertionString5 %{S-1-5-21-184992632-1607737289-1287950321-513}
Privileges Contains the list of privileges. The purpose of this field is unknown. In most cases it is empty. InsertionString9 -
Comments
You must be logged in to comment