4732 A member was added to a security-enabled local group

Written when a member is added to a security-enabled local group. Addition to a privileged group such as Administrators leads directly to privilege escalation, making it a top-tier account-management event.

Overview

The subcategory is Audit Security Group Management. It is generated when a new member is added to a local group, recorded on domain controllers, member servers, and workstations alike. One event appears per added member.

How it is triggered

Member addition via net localgroup Administrators <user> /add, Computer Management, Add-LocalGroupMember, and so on.

Security review points

Addition to a privileged group is most important. Adding to Administrators (local administrators) grants that account admin rights, a hallmark of privilege escalation and persistence. Addition to Remote Desktop Users (gaining an RDP path) is also notable.
A sequence of account creation 4720 then privileged-group addition 4732 strongly suggests creating a backdoor administrator account.
Confirm the added target and adding subject are as expected. Addition to domain global/universal groups is a separate event (4728 / 4756).

Notes for log review

It also occurs during legitimate privilege grants. Narrow by group name (whether privileged) and normal patterns of target and subject. Alert on additions to Administrators at high priority in particular.
Together with removal 4733, track membership changes. A short add-then-remove can be a move to hide temporary privilege use.

Key fields

Field	Meaning
`Group\Group Name`	The group a member was added to (check if privileged)
`Member\Security ID` / `Account Name`	The added member
`Subject\Account Name`	The subject that performed the addition

References

Microsoft Learn: 4732(S) A member was added to a security-enabled local group.