SOC Event Lookup
Event ID 4728GroupMgmtP2

Windows Event ID 4728: A member was added to a security-enabled global group

Windows Security Event ID 4728 records that a user or computer account was added to a security-enabled global group in Active Directory, logging the Subject performing the change, the Member added, and the target Group.

Applicable version
Windows Server 2008 R2 and later
Last reviewed
2026-07-12

Trigger Scenarios

Any domain-level group membership addition for a security-enabled global group generates this event on a domain controller. It covers high-value targets such as Domain Admins, Enterprise Admins, Schema Admins, and other privileged role groups.

Key Fields

Group\Group Name / Group Domain

The group receiving the new member. Additions to Domain Admins, Enterprise Admins, or Schema Admins in the expected domain are the highest-priority signals. Any group whose name ends in Admins or contains a privileged role keyword also warrants review.

Member\Security ID / Account Name

The account being added. Account Name is recorded as an LDAP distinguished name (e.g., CN=jsmith,OU=Users,DC=corp,DC=example). A member account that is newly created, dormant, or sourced from an external domain in a sensitive group is a T1098 Account Manipulation indicator.

Subject\Account Name / Logon ID

The identity that made the change. Correlate the Logon ID with the 4624 logon record to find the originating workstation and session type (Type 10 remote interactive from an unexpected source is particularly suspicious).

Common False Positives

  • Authorized provisioning workflows and help-desk processes regularly add accounts to groups as part of onboarding or role changes.
  • Automated identity management systems may perform bulk group assignments during role migrations.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation
  • T1078Valid Accounts

Detection Notes

T1098 is concrete when Group Name equals Domain Admins, Enterprise Admins, or Schema Admins and the same Subject Logon ID produces 4672 after a Type 10 4624. That sequence assigns privileged access rather than a routine role change.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4728
| where TargetUserName in ("Domain Admins", "Enterprise Admins", "Schema Admins")
| project TimeGenerated, Computer, SubjectUserName, MemberName, TargetUserName
Splunk SPL
index=wineventlog EventCode=4728
| search TargetUserName IN ("Domain Admins", "Enterprise Admins", "Schema Admins")
| table _time, host, SubjectUserName, MemberName, TargetUserName
Sample Log
Subject:
  Security ID: CORP\attacker
  Account Name: attacker
  Account Domain: CORP
  Logon ID: 0x2F4A10
Member:
  Security ID: CORP\backdoor
  Account Name: CN=backdoor,OU=Users,DC=corp,DC=example
Group:
  Security ID: CORP\Domain Admins
  Group Name: Domain Admins
  Group Domain: CORP

Source