Event ID 4732GroupMgmtP1
Windows Event ID 4732: A member was added to a security-enabled local group
Windows Security Event ID 4732 records a member being added to a security-enabled local group, including the local Administrators group.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
Windows generates the event when local group membership changes on the audited system.
Key Fields
Member
The account or SID added to the group. Resolve SIDs when a name is unavailable.
Group
The local group receiving the member. Administrators and Remote Desktop Users are especially important.
Subject
The identity that made the change. Validate its administrative role and session context.
Common False Positives
- Endpoint management and approved provisioning workflows can add local administrators.
- Break-glass and support processes may temporarily add accounts during incidents.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
- T1078Valid Accounts
Detection Notes
T1098 privilege escalation is indicated when Group is Administrators or Remote Desktop Users and Member is a new, dormant, or foreign-domain account. Addition to Administrators followed by 4672 and Type 10 4624 is a concrete local-admin persistence chain.
SecurityEvent
| where EventID == 4732
| where TargetAccount has_any ("Administrators", "Remote Desktop Users")
| project TimeGenerated, Computer, Account, MemberName, TargetAccountindex=wineventlog EventCode=4732
| search TargetUserName IN ("Administrators", "Remote Desktop Users")
| table _time, host, SubjectUserName, MemberName, TargetUserNameMember: CORP\jsmith
Group: Administrators
Subject: CORP\admin.ops
Computer: WS-014