Windows Event ID 4729: A member was removed from a security-enabled global group
Windows Security Event ID 4729 records removal of a member from a security-enabled global group.
- Applicable version
- Windows Server 2008 and later where the audit subcategory is enabled
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents 4729 as the global-group counterpart to 4733, with the same fields and recommendations except group type.
Key Fields
Member Security ID / Account Name
The user, group, or computer removed from the global security group.
Group Name / Group Domain / Group Security ID
The affected global group. Privileged groups such as Domain Admins require immediate validation.
Subject Account Name / Logon ID
The actor and hexadecimal logon session that performed the removal.
Common False Positives
- Privileged access reviews and role cleanup legitimately remove members from groups.
- Automated identity governance can remove expired group memberships.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
Use threshold=1 for removals from privileged global groups such as Domain Admins, Enterprise Admins, or custom Tier 0 groups. Microsoft documents 4729 as the removal counterpart to 4728/4733; if Member Security ID is removed shortly after suspicious access, the actor may be hiding or changing persistence, which maps to T1098 Account Manipulation. Correlate Subject Logon ID with 4624/4688 and verify the identity-governance ticket.
SecurityEvent
| where EventID == 4729
| project TimeGenerated, Computer, Account, MemberName, GroupName, GroupDomainindex=wineventlog EventCode=4729 | table _time, host, Account_Name, Member_Account_Name, Group_Name, Group_DomainEventID: 4729
Subject Account Name: admin.ops
Subject Logon ID: 0x27a79
Member Security ID: S-1-5-21-111-222-333-1109
Member Account Name: CN=svc-old,CN=Users,DC=corp,DC=local
Group Name: Domain Admins
Group Domain: CORP