4732 - "A member was added to a security-enabled local group" - system account as subject?

djc 1 Reputation point
2020-08-27T19:29:27.52+00:00

Hello,

Windows security event log 4732:

I see log entry's where it's clear 'user A' added 'user B' to 'group C'.... however I also see entries where instead of it being a user that is doing the adding to the group, it is 'nt authority\system', the computername$ account... What would make that happen? Is it normal?

Any insight would be great.

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,148 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,774 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,256 Reputation points
    2020-08-28T03:19:35.513+00:00

    Hello,

    Thank you so much for posting here.

    In my case, there will be event log 4732 as shown below if adding the user 999 to the group 99.

    21121-7.png

    20940-6.png

    It is the Administrator account that is doing the adding to the group. So the Account Name is administrator.

    So sorry that we could not clearly understand our meaning of "it is 'nt authority\system', the computername$ account". If possible, would you please kindly provide us the screenshot of the event log 4732?

    For more information about this event ID, we could refer to:
    https://video2.skills-academy.com/en-us/windows/security/threat-protection/auditing/event-4732

    Thank you so much. For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

  2. djc 1 Reputation point
    2020-08-31T15:26:28.857+00:00

    Hi,

    Thanks for the response - the scenario in question is exactly like your screenshot only the 'Subject' information refers to 'nt authority\system' and computername$ where yours refers to Administrator and BOOK\Administrator.

    I can't get a screenshot of the event log directly from event viewer as all my logs go to splunk, however I'll post back shortly with some example data from splunk.

    Thanks.

    0 comments
  3. djc 1 Reputation point
    2020-08-31T16:45:51.94+00:00

    I tried to put in my example log data, using the 'Code Sample' feature in this editor but it would not show it... the data is xml (Q&A will definitely want to fix that)... here is a screen shot of the data.

    Here is the raw event data for one example (we send windows event logs to splunk in xml format).
    Note: computer, domain, user, and group names have all been changed for privacy/security of course.

    21539-4732-1.png

    Here are the important bits pulled out to make it easier to read:

    21576-4732-2.png

    So, based on how I've renamed the bits, it says this:

    "SOURCECOMPUTERNAME\UserOrGroupBeingAdded" was added to the local group "SOURCECOMPUTERNAME\GroupBeingAddedTo" by "NT AUTHORITY\SYSTEM" (SOURCECOMPUTERNAME$)

    and what I want to understand is what causes this? I have many examples all showing essentially the same thing, it is not just one computer. I expect this is 'normal', but I want to understand and explain to others how/why it happens.

    Regards

    0 comments
  4. Hannah Xiong 6,256 Reputation points
    2020-09-01T03:06:35.833+00:00

    Hello,

    Thank you so much for your feedback.

    So sorry that it is hard to tell what causes this since there might be some causes such as scheduled task, scripts according to my research. We could kindly have a check.

    To further troubleshoot, we could use the Network monitor and Process Monitor to perform packet capture to collect data. And then we could try to analyze the data and figure out the issue. Due to security consideration and forum support, please do not share the data information here.

    Thank you so much for your understanding and support.

    Best regards,
    Hannah Xiong