Event ID 636 - Security Enabled Local Group Member Added
|Sub category||Audit Security Group Management|
|Description||A member was added to a security-enabled local group|
When Active Directory objects such as an user/group/computer is added to a security local group, event ID 636 gets logged.
This log data gives the following information:
|Subject: User who performed the action||Security ID
|Member: Object added to the security group||Security ID
|Group: Security local group to which the object was added||Security ID
Why event ID 636 needs to be monitored?
- Prevention of privilege abuse
- Detection of potential malicious activity
- Operational purposes like getting information on user activity like user attendance, peak logon times, etc.
- Compliance mandates
ADAudit Plus alerts and tracks critical activities such as adding or removing user/group/computer to security groups, thus making Active Directory auditing much easier.
Event 636 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID for 636 in Windows Server 2008 and Vista is 4732