Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 10/16/2016 4:12:03 PM Event ID: 4627 Task Category: Group Membership Level: Information Keywords: Audit Success User: N/A Computer: IIZHU2016.itss.wm.zhu.cn.qsft Description: Group membership information. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: SYSTEM Account Name: IIZHU2016$ Account Domain: ITSS.WM.ZHU.CN.QSFT Logon ID: 0x1AF7F3ED Event in sequence: 1 of 1 Group Membership: BUILTIN\Administrators Everyone BUILTIN\Users BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ITSS\IIZHU2016$ ITSS\Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ITSS\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. This event is generated when the Audit Group Membership subcategory is configured. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.