Windows Event ID 4756: A member was added to a security-enabled universal group
Windows Security Event ID 4756 records addition of a member to a security-enabled universal group.
- Applicable version
- Windows Server 2008 and later where the audit subcategory is enabled
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents 4756 as the universal-group counterpart to 4732, with the same fields and recommendations except group type.
Key Fields
Member Security ID / Account Name
The principal added to the universal security group.
Group Name / Group Domain / Group Security ID
The affected universal group, which can be granted access in any trusting domain.
Expiration time / Privileges
Newer event versions may include membership expiration time; privileges captures special rights involved in the change.
Common False Positives
- Approved cross-domain access provisioning can add users to universal groups.
- Identity governance platforms may add temporary group memberships with expiration time.
Related Events
MITRE ATT&CK Mapping
- T1098Account Manipulation
Detection Notes
Use threshold=1 for additions to privileged universal groups or groups granting cross-domain access, especially when Expiration time is blank or unexpectedly long. Microsoft documents 4756 as the universal-group equivalent of 4732; adding a Member Security ID to a universal security group can extend access across trusting domains and supports T1098 Account Manipulation. Correlate Subject Logon ID with 4624/4688 and validate the provisioning request.
SecurityEvent
| where EventID == 4756
| project TimeGenerated, Computer, Account, MemberName, GroupName, GroupDomainindex=wineventlog EventCode=4756 | table _time, host, Account_Name, Member_Account_Name, Group_Name, Group_DomainEventID: 4756
Subject Account Name: admin.ops
Subject Logon ID: 0x27a79
Member Security ID: S-1-5-21-111-222-333-1109
Member Account Name: CN=svc-sync,CN=Users,DC=corp,DC=local
Group Name: Forest-App-Admins
Group Domain: CORP
Expiration time: -