Event Details
User Activity->Account Management->Query Information->EventID 4798 - A user's local group membership was enumerated.
EventID 4798 - A user's local group membership was enumerated.
 Sample: 
A user's local group membership was enumerated.

              Subject:
                  Security ID:        %4
                  Account Name:        %5
                  Account Domain:        %6
                  Logon ID:        %7

              User:
                  Security ID:        %3
                  Account Name:        %1
                  Account Domain:        %2

              Process Information:
                  Process ID:        %8
                  Process Name:        %9
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory User Account Management
EventId 4798
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Local Group Membership Enumerated" Local Group Membership Enumerated
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Subject: Account Domain LOGISTICS
WhereDomain -
Whom Account or user name being managed. Target: Account Name
Comments
You must be logged in to comment