Event-o-Pedia EventID 4787 - A non-member was added to a basic application group.

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Application Group Management->EventID 4787 - A non-member was added to a basic application group.

EventID 4787 - A non-member was added to a basic application group.

An application group is a group of users, computers, or other security principals. An application group is not a group of applications.

Find more information about this event on ultimatewindowssecurity.com.

Sample:

      A non-member was added to a basic application group.

      Subject:
      Security ID:		%6
      Account Name:		%7
      Account Domain:		%8
      Logon ID:		%9

      Member:
      Security ID:		%2
      Account Name:		%1

      Group:
      Security ID:		%5
      Account Name:		%3
      Account Domain:		%4

      Additional Information:
      Privileges:		%10

      A non-member is an account that is explicitly excluded from membership in a basic application group.  
      Even if the account is specified as a member of the application group, either explicitly or through nested group membership, 
      the account will not be treated as a group member if it is listed as a non-member.

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Account Management
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Application Group Management
EventId	4787

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		-
Whom		-
Object Type		-
Class Name		-
Security ID		-
Account Name		-
Account Domain		-
Subject: Account Name	Name of the account that initiated the action.	InsertionString7	ALebovsky
Subject: Account Domain	Name of the domain that account initiating the action belongs to.	InsertionString8	LOGISTICS
Subject: Logon ID	A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.	InsertionString9	0x2a88a
Subject: Security ID	Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment.	InsertionString6
Group: Security ID	Security ID of the managed group. Usually resolved to Domain\GroupName in home environment.	InsertionString5
Additional Information: Privileges	Likely always equal to "-". Probably reserved to indicate privileges used by Subject while performing the management action or the privileges assigned to the managed group.	InsertionString10
Member: Security ID		InsertionString2
Member: Account Name		InsertionString1
Group: Account Name		InsertionString3
Group: Account Domain		InsertionString4