Windows Event ID 4728: A member was added to a security-enabled global group
Windows Security Event ID 4728 records that a user or computer account was added to a security-enabled global group in Active Directory, logging the Subject performing the change, the Member added, and the target Group.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-12
Trigger Scenarios
Any domain-level group membership addition for a security-enabled global group generates this event on a domain controller. It covers high-value targets such as Domain Admins, Enterprise Admins, Schema Admins, and other privileged role groups.
Key Fields
Group\Group Name / Group Domain
The group receiving the new member. Additions to Domain Admins, Enterprise Admins, or Schema Admins in the expected domain are the highest-priority signals. Any group whose name ends in Admins or contains a privileged role keyword also warrants review.
Member\Security ID / Account Name
The account being added. Account Name is recorded as an LDAP distinguished name (e.g., CN=jsmith,OU=Users,DC=corp,DC=example). A member account that is newly created, dormant, or sourced from an external domain in a sensitive group is a T1098 Account Manipulation indicator.
Subject\Account Name / Logon ID
The identity that made the change. Correlate the Logon ID with the 4624 logon record to find the originating workstation and session type (Type 10 remote interactive from an unexpected source is particularly suspicious).
Common False Positives
- Authorized provisioning workflows and help-desk processes regularly add accounts to groups as part of onboarding or role changes.
- Automated identity management systems may perform bulk group assignments during role migrations.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
- T1078Valid Accounts
Detection Notes
T1098 is concrete when Group Name equals Domain Admins, Enterprise Admins, or Schema Admins and the same Subject Logon ID produces 4672 after a Type 10 4624. That sequence assigns privileged access rather than a routine role change.
SecurityEvent
| where EventID == 4728
| where TargetUserName in ("Domain Admins", "Enterprise Admins", "Schema Admins")
| project TimeGenerated, Computer, SubjectUserName, MemberName, TargetUserNameindex=wineventlog EventCode=4728
| search TargetUserName IN ("Domain Admins", "Enterprise Admins", "Schema Admins")
| table _time, host, SubjectUserName, MemberName, TargetUserNameSubject:
Security ID: CORP\attacker
Account Name: attacker
Account Domain: CORP
Logon ID: 0x2F4A10
Member:
Security ID: CORP\backdoor
Account Name: CN=backdoor,OU=Users,DC=corp,DC=example
Group:
Security ID: CORP\Domain Admins
Group Name: Domain Admins
Group Domain: CORP