SOC Event Lookup
Event ID 4732GroupMgmtP1

Windows Event ID 4732: A member was added to a security-enabled local group

Windows Security Event ID 4732 records a member being added to a security-enabled local group, including the local Administrators group.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

Windows generates the event when local group membership changes on the audited system.

Key Fields

Member

The account or SID added to the group. Resolve SIDs when a name is unavailable.

Group

The local group receiving the member. Administrators and Remote Desktop Users are especially important.

Subject

The identity that made the change. Validate its administrative role and session context.

Common False Positives

  • Endpoint management and approved provisioning workflows can add local administrators.
  • Break-glass and support processes may temporarily add accounts during incidents.

Related Events

MITRE ATT&CK Mapping

  • T1098Account Manipulation
  • T1078Valid Accounts

Detection Notes

T1098 privilege escalation is indicated when Group is Administrators or Remote Desktop Users and Member is a new, dormant, or foreign-domain account. Addition to Administrators followed by 4672 and Type 10 4624 is a concrete local-admin persistence chain.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4732
| where TargetAccount has_any ("Administrators", "Remote Desktop Users")
| project TimeGenerated, Computer, Account, MemberName, TargetAccount
Splunk SPL
index=wineventlog EventCode=4732
| search TargetUserName IN ("Administrators", "Remote Desktop Users")
| table _time, host, SubjectUserName, MemberName, TargetUserName
Sample Log
Member: CORP\jsmith
Group: Administrators
Subject: CORP\admin.ops
Computer: WS-014

Source