Windows Security Log Event ID 4627

Operating Systems	Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Logon/Logoff • Group Membership
Type	Success
Corresponding events in Windows 2003 and before

4627: Group membership information.

On this page

Description of this event
Field level details
Examples

This is the only event of it's new Group Membership subcategory. One or more of these events are logged whenever a user logs on or a logon session begins for any other reason (see LogonTypes on 4624).

This event documents all the groups to which the user belongs.

This event is not really an event per se but a point-in-time documentation of the user's membership at the time of logon.

Free Security Log Resources by Randy

Description Fields in 4627

Subject:

Identifies the account that requested the logon - NOT the user who just logged on. Subject is usually Null or one of the Service principals and not usually useful information. See New Logon for who just logged on to the sytem.

Security ID
Account Name
Account Domain
Logon ID

Logon Type:

This is a valuable piece of information as it tells you HOW the user just logged on. See 4624

New Logon:

The user who just logged on is identified by the Account Name and Account Domain. You can determine whether the account is local or domain by comparing the Account Domain to the computer name. If they match, the account is a local account on that system, otherwise a domain account. See New Logon field description at 4624

Security ID: the SID of the account
Account Name: Logon name of the account
Account Domain: Domain name of the account (pre-Win2k domain name)
Logon ID: Semi-unique logon session ID number

Events in sequence:

If a user is member to too many groups to document in one event Windows will log multiple instances of this event.

Group Membership:

This is where all the groups are listed to whom the user belonged at time of logon.

This event has been tested with a domain account in a domain joined Windows 10 computer and we can confirm this event includes:

the local groups on that computer to which the user belongs
domain groups to which the user belongs
all groups, including groups the user is a member of by virtue of nested group membership
special principle SIDs the user has in their user token such as INTERACTIVE or NETWORK depending on type of logon. AKA Well Known SIDs

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 4627

Group membership information.

Subject:
   Security ID: AzureAD\RandyFranklinSmith
   Account Name: RandyFranklinSmith
   Account Domain: AzureAD
   Logon ID: 0x7A202

Logon Type: 2

New Logon:

Security ID: DESKTOP-TMO9MI9\Administrator
   Account Name: Administrator
   Account Domain: DESKTOP-TMO9MI9
   Logon ID: 0x1D80AF1

Event in sequence: 1 of 1

Group Membership:
   DESKTOP-TMO9MI9\None
   Everyone
   NT AUTHORITY\Local account and member of Administrators   group
   BUILTIN\Administrators
   BUILTIN\Users
   NT AUTHORITY\INTERACTIVE
   CONSOLE LOGON
   NT AUTHORITY\Authenticated Users
   NT AUTHORITY\This Organization
   NT AUTHORITY\Authenticated Users3
   LOCAL
   NT AUTHORITY\NTLM Authentication
   Mandatory Label\High Mandatory Level

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

December 2024 Patch Tuesday	"Patch Tuesday - 2 Zero Days...See You in 2025! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.