Event-o-Pedia EventID 4729 - A member was removed from a security-enabled global group.

	Event Details
	User Activity->Account Management->Group Membership Changes->Windows 2008->EventID 4729 - A member was removed from a security-enabled global group.

EventID 4729 - A member was removed from a security-enabled global group.

Linked Event:

EventID 4729 - A member was removed from a security-enabled global group.

Sample:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/28/2009 8:29:34 PM
Event ID:      4729
Task Category: Security Group Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A member was removed from a security-enabled global group.

Subject:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-500
	Account Name:		ALebovsky
	Account Domain:		LOGISTICS
	Logon ID:		0x2a88a

Member:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1145
	Account Name:		CN=Paul,OU=Project Managers,DC=Logistics,DC=corp

Group:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-513
	Group Name:		Domain Users
	Group Domain:		LOGISTICS

Additional Information:
	Privileges:		-

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Account Management
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Security Group Management
EventId	4729

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime	10.10.2000 19:00:00
Who	Account or user name under which the activity occured.	Subject: Account Name	ALebovsky
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Group Member Removed"	Group Member Removed
Where	The name of the workstation/server where the activity was logged.	Computer	DC1
Where From	The name of the workstation/server where the activity was initiated from.	-	10.10.10.10
Severity	Specify the seriousness of the event.	"High"	High
WhoDomain		Subject: Account Domain	LOGISTICS
WhereDomain		-
Whom	Account or user name being managed.	Member: Security ID	S-1-5-21-1135140816-2109348461-2107143693-1145
Member Name	Account name of added/removed group member	Member: Account Name	CN=Paul,OU=Project Managers,DC=Logistics,DC=corp
Group Type	The type of group: security or distribution.	"Security"	Security
Group Scope	The scope of group: local, global, universal	"Global"	Global
Group Name		Group: Group Name	Domain Users
Group Domain		Group: Group Domain	LOGISTICS
Affected group	The group affected by changes	Group: Security ID	S-1-5-21-1135140816-2109348461-2107143693-513