Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/16/2016 4:12:03 PM
Event ID:      4627
Task Category: Group Membership
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IIZHU2016.itss.wm.zhu.cn.qsft
Description:
Group membership information.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

New Logon:
	Security ID:		SYSTEM
	Account Name:		IIZHU2016$
	Account Domain:		ITSS.WM.ZHU.CN.QSFT
	Logon ID:		0x1AF7F3ED

Event in sequence:		1 of 1

Group Membership:			
		BUILTIN\Administrators
		Everyone
		BUILTIN\Users
		BUILTIN\Pre-Windows 2000 Compatible Access
		BUILTIN\Windows Authorization Access Group
		NT AUTHORITY\NETWORK
		NT AUTHORITY\Authenticated Users
		NT AUTHORITY\This Organization
		ITSS\IIZHU2016$
		ITSS\Domain Controllers
		NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
		Authentication authority asserted identity
		ITSS\Denied RODC Password Replication Group
		Mandatory Label\System Mandatory Level

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

This event is generated when the Audit Group Membership subcategory is configured.  The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.