Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Management->Security Group Management->EventID 4728 - A member was added to a security-enabled global group.
EventID 4728 - A member was added to a security-enabled global group.
Indicates that a member (user, computer or another group account) was successfully added to the security global group by "Subject" user.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:
Windows 2000, 2003
 Sample: 
A member was added to a security-enabled global group.

Subject:
	Security ID:		ITSS\igor.ilyin
	Account Name:		igor.ilyin
	Account Domain:		ITSS
	Logon ID:		0x248AB265

Member:
	Security ID:		ITSS\demo.account
	Account Name:		CN=demo account,OU=Operational,DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft

Group:
	Security ID:		ITSS\NonDboGroup
	Group Name:		NonDboGroup
	Group Domain:		ITSS

Additional Information:
	Privileges:		-
Expiration time:		-
===========================
Description template stored in adtschema.dll:
===========================
A member was added to a security-enabled global group.

Subject:
	Security ID:		%6
	Account Name:		%7
	Account Domain:		%8
	Logon ID:		%9

Member:
	Security ID:		%2
	Account Name:		%1

Group:
	Security ID:		%5
	Group Name:		%3
	Group Domain:		%4

Additional Information:
	Privileges:		%10
Expiration time:		%11
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory Security Group Management
EventId 4728
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name -
Whom -
Object Type -
Class Name -
Security ID InsertionString6
Account Name InsertionString7
Account Domain InsertionString8
Subject: Account Name Name of the account that initiated the action. InsertionString7 igor.ilyin
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString8 ITSS
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString9 0x248AB265
Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment. InsertionString6 ITSS\igor.ilyin
Additional Information: Privileges Likely always equal to "-". Probably reserved to indicate privileges used by Subject while performing the management action or the privileges assigned to the managed group. InsertionString10 -
Member: Security ID InsertionString2 ITSS\demo.account
Member: Account Name InsertionString1 CN=demo account,OU=Operational,DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft
Group: Security ID InsertionString5 ITSS\NonDboGroup
Group: Group Name InsertionString3 NonDboGroup
Group: Group Domain InsertionString4 ITSS
Expiration InsertionString11 -
Privileges InsertionString10
Comments
You must be logged in to comment