question

balldigy avatar image
0 Votes"
balldigy asked FanFan-MSFT commented

Event ID 4732 and 4733 Account Name blank - Why?

Recently, I've come across a number of events in which our server administrators are adding in domain groups to the local server Administrator's group. Which isn't abnormal....except that the events are not showing which Domain Group that was added. Granted, the least possible denominator is the SID (Security ID) that is stamped, but it does not account for the additional research that must go on in order to ascertain the human readable context. The MAIN problem that I would hope is explainable is why does the "Account Name" field remain blank when the server is part of the domain and logs are able to be correlated?....or wouldn't the name of the group (or group label) that is passed through as part of the new entry into the Local Administrators group be something that is recorded as part of the log?

An Example:

A member was added to a security-enabled local group.


  Subject:

      Security ID:        S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1 <Redacted Info>

      Account Name:        <A Server Admin Redacted>

      Account Domain:        <Server Domain Redacted>

      Logon ID:        <LOGON ID Redacted>

    

  Member:

      Security ID:        S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-12 <Redacted Info>

      Account Name:        -

    

  Group:

      Security ID:        S-1-5-32-544

      Group Name:        Administrators

      Group Domain:        Builtin

    

  Additional Information:

      Privileges:        - 
windows-server
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·

Hi,
 
Just checking in to see if the information provided was helpful.
 
If the reply helped you, please remember to accept it as an answer to end this thread.
If no, please reply and tell us the current situation in order to provide further help.

Best Regards,

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT edited

Hi,
Based on my understanding, on the servers you use the local administrator added a domain group into the local administrators group, right?

Member:
Security ID [Type = SID]: SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
Account Name [Type = UnicodeString]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “-“ value, even if new member is a domain account. For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
I tried to add a domain security group to the local administrators, the Account Name showing- too。

87292-4135.jpg
Best Regards,




4135.jpg (22.4 KiB)
4135.jpg (22.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.