Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Logon/Logoff->Group Membership->EventID 4627 - Group membership information.
EventID 4627 - Group membership information.

Audit Group Membership enables you to audit group membership when it is enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. Multiple events are generated if the group membership information cannot fit in a single security audit event.

Find more information about this event on ultimatewindowssecurity.com.

Group membership information.

	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SYSTEM
	Account Name:		IIZHU2016$
	Account Domain:		ITSS.WM.ZHU.CN.QSFT
	Logon ID:		0x1AF7F3ED

Event in sequence:		1 of 1

Group Membership:			
		BUILTIN\Pre-Windows 2000 Compatible Access
		BUILTIN\Windows Authorization Access Group
		NT AUTHORITY\Authenticated Users
		NT AUTHORITY\This Organization
		ITSS\Domain Controllers
		Authentication authority asserted identity
		ITSS\Denied RODC Password Replication Group
		Mandatory Label\System Mandatory Level

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Logon/Logoff
Source Microsoft-Windows-Security-Auditing
TaskCategory Group Membership
EventId 4627
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID -
Account Name -
Account Domain -
Subject: Security ID InsertionString1 NULL SID
Subject: Account Name InsertionString2 -
Subject: Account Domain InsertionString3 -
Subject: Logon ID InsertionString4 0x0
New Logon: Security ID InsertionString5 SYSTEM
New Logon: Account Name InsertionString6 IIZHU2016$
New Logon: Account Domain InsertionString7 ITSS.WM.ZHU.CN.QSFT
New Logon: Logon ID InsertionString8 0x1AF7F3ED
Event in Sequence Multiple events are generated if the group membership information cannot fit in a single security audit event InsertionString10 1
Sequence Length Multiple events are generated if the group membership information cannot fit in a single security audit event InsertionString11 2
Group Membership The list of group SIDs which logged account belongs to (member of) InsertionString12 Everyone
You must be logged in to comment