none
Event id 4733 and 4732 Account Name

    Question

  • EventID 4732 and 4733 are found on windows 2008 servers when a local group is modified.  4732- member added and 4733 member removed.  When this event is generated the "Account Name" field does not contain any data.  When similar events are generated on domain controller, the distinguished name of the user is generated within that field.

    Does anyone know if there is a setting or some sort so that information regarding the user account cvould be populated in that field on member servers.

    Thanks

    Paul


    Paul Glickenhaus

    Thursday, April 26, 2012 3:53 PM

Answers

  • Hi,


    I'd like to confirm you are using Advanced Security Audit Policy Settings to get Event ID 4732/4733, or using ACS to report all additions to Administrative groups.


    For ACS, This was due to the fact that the user information is not recorded in these logged events and so ACS did not have access to the username to store it in the DB.

     

     
    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support


    Saturday, April 28, 2012 3:00 AM

All replies

  • Hello,

     

    Thank you for your post.

     

    This is a quick note to let you know that we are performing research on this issue.

     

    Best Regards

    Elytis Cheng


    Elytis Cheng

    TechNet Community Support

    Friday, April 27, 2012 10:23 AM
  • Hi,


    I'd like to confirm you are using Advanced Security Audit Policy Settings to get Event ID 4732/4733, or using ACS to report all additions to Administrative groups.


    For ACS, This was due to the fact that the user information is not recorded in these logged events and so ACS did not have access to the username to store it in the DB.

     

     
    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support


    Saturday, April 28, 2012 3:00 AM
  • Hi can you tell me if the event id 4733 should only show on the domain controller with the account names. I have a suspicious log file with four users being removed. Could it be that my log is being restored from somewhere in order to hide some fraudulent activity?
    Friday, April 12, 2013 10:56 AM