4733 A member was removed from a security-enabled local group

Written when a member is removed from a security-enabled local group. Paired with addition 4732, it tracks changes to group membership.

Overview

The subcategory is Audit Security Group Management. It is generated when a member is removed from a local group, one event per removed member.

How it is triggered

• Member removal via net localgroup <group> <user> /delete, Remove-LocalGroupMember, and so on.

Security review points

• There is a move where an attacker temporarily adds themselves to a privileged group (4732), operates, then removes themselves right after to thin out the trace. A short add-then-remove pair is worth attention.
• Member removals that affect defense or operations, such as removing a legitimate administrator from Administrators, should be checked in the context of privilege stripping or disruption.

Notes for log review

• It also occurs during legitimate rights reviews. Match against normal patterns of the target group (whether privileged), removed member, and acting subject.
• Read it as a membership history paired with addition 4732.

Key fields

References

• Microsoft Learn: 4733(S) A member was removed from a security-enabled local group.