4627 Group membership information
Records the list of groups the logged-on account belongs to. Generated as a pair with 4624, it lets you see “who logged on as a member of which privileged groups.”
Overview
The subcategory is Audit Group Membership. It is generated alongside the success logon 4624 and shows the list of group SIDs (Group Membership) the account belongs to. To get this event you must also enable Success auditing for Audit Logon. If the group information does not fit in one event it is split across several (Windows Server 2016 / Windows 10 and later).
How it is triggered
- When a user or computer logs on successfully, it is generated as that account’s group membership information.
- It ties to the 4624 of the same session via
Logon ID.
Security review points
- This information is normally reported by the NULL SID subject, so report any case where
Subject\Security IDis not the NULL SID. - Using the SIDs in
Group Membership, you can track which hosts members of specific privileged groups (such asS-1-5-32-544= Administrators) logged on to. Check whether members of high-privilege groups logged on to unexpected hosts. - If an administrator group SID that should not normally be present appears on an account meant to be an ordinary user, suspect anomalous privilege assignment.
Notes for log review
- It appears on every logon, so if group monitoring is not your goal, watching 4624 is lighter.
Group Membershipis a list of SIDs. Pre-listing the privileged SIDs of interest, such asS-1-5-32-544(Administrators) and domain admin SIDs, makes it easier to read.
Key fields
| Field | Meaning |
|---|---|
New Logon\Account Name | The target account |
Group Membership | The list of group SIDs the account belongs to |
Logon ID | The key for matching with 4624 |