Is Event ID 4729 always suspicious?

No — removing accounts from groups is routine IT operations: offboarding removes users from resource groups, role changes adjust group memberships, and cleanup processes remove stale accounts. The suspicious patterns are: removal of IT admin accounts from Domain Admins or Enterprise Admins, removal by an account that is not a known IT admin, removal during or after a security incident, or a removal that pairs with a preceding 4728 addition for a different unknown account in the same session. The combination of an unexpected remover and a high-privilege target group is the alert threshold.

How can removing someone from Domain Admins help an attacker?

If an attacker has already established their own persistent admin access (via a different account or mechanism), removing legitimate IT admins from Domain Admins means those IT staff cannot use AD management tools, cannot reset passwords on compromised accounts, cannot view all AD objects with admin rights, and cannot perform domain-level incident response actions. This buys the attacker more dwell time. It is most commonly observed in pre-ransomware staging — attackers lock out IT before deploying the payload so that the recovery window is extended.

What is the difference between Event ID 4729 and Event ID 4733?

Event 4729 covers global security groups — domain-wide groups like Domain Admins, Enterprise Admins, and custom global groups. A change here affects all systems in the domain. Event 4733 covers local security groups on individual machines — like the local Administrators group on a specific server. Both follow the same investigation logic, but 4729 has broader blast radius. Monitor 4729 first for high-priority groups; monitor 4733 for cross-machine patterns that indicate lateral movement staging.

Scan your Security and Sysmon logs·Detection guides

Event ID 4729Audit SuccessSecurityT1098

Windows Event ID 4729 — Member Removed from Global Security Group

Logged when an account is removed from an Active Directory global security group. The complement to Event ID 4728 (member added). Includes removals from high-value groups such as Domain Admins, Enterprise Admins, and Group Policy Creator Owners.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Attackers remove accounts from privileged groups for two reasons: disruption and cleanup. Removing legitimate admin accounts from Domain Admins locks out defenders during an active incident — IT cannot remediate what it cannot access. Post-objective cleanup involves removing backdoor accounts from visible groups (while leaving other persistence mechanisms in place) to make the intrusion harder to detect in an AD review. A Domain Admin account removed from Domain Admins by an unexpected Subject Account — especially during a security incident — is a critical signal that an attacker is actively interfering with the incident response.

Key Fields

Group NameThe group the account was removed from — Domain Admins, Enterprise Admins, Schema Admins, and DNSAdmins removals are highest priority; removal from these groups has immediate domain-wide impact

Member Account NameThe account that was removed — if this is a known IT admin or incident responder, investigate immediately; if it is a recently added unknown account, this may be backdoor cleanup

Subject Account NameWho performed the removal — should match your known AD admin or provisioning accounts. An unexpected remover, or the same account that previously added the member (4728 by same Subject), is suspicious.

Subject Logon IDLinks to the remover's 4624 session — verify the session's source IP and logon type

Investigation Tips

1.Defender disruption pattern: a legitimate IT admin account removed from Domain Admins during or immediately after a security incident response is an attacker attempting to prevent remediation. Treat any Domain Admins removal during an active incident as highest priority regardless of the Subject Account Name — the Subject itself may be compromised.
2.Cleanup pattern: search for a preceding 4728 event for the same Member Account Name. If a 4728 (add) and 4729 (remove) for the same account occur days apart with no corresponding HR action, the account may have been a temporary backdoor that is now being cleaned up. The removal is the final step — review what the account did between the add and remove.
3.Correlate pairs: the same Subject Account Name performing both 4728 (add an account) and 4729 (remove a different account) in the same session is the privilege pivot pattern — adding a controlled account while removing a legitimate one to shift control.
4.Timing with other events: 4729 events on Domain Admins immediately preceding 4726 (account deletion), 1102 (log cleared), or Sysmon 11 (mass file creation) fit ransomware pre-staging — the attacker is removing IT's ability to respond before deploying the payload.

Seeing Event ID 4729 in your own logs? Upload an .evtx file — EventPeeker flags member removed from global security group automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4728Member added to global group — the complementary addition event

4732Member added to local group — local group membership companion

4733Member removed from local group

4624Successful logon — correlate Subject Logon ID to trace the session performing the removal

4726Account deleted — removal may precede deletion as part of cleanup

Frequently Asked Questions

Is Event ID 4729 always suspicious?: No — removing accounts from groups is routine IT operations: offboarding removes users from resource groups, role changes adjust group memberships, and cleanup processes remove stale accounts. The suspicious patterns are: removal of IT admin accounts from Domain Admins or Enterprise Admins, removal by an account that is not a known IT admin, removal during or after a security incident, or a removal that pairs with a preceding 4728 addition for a different unknown account in the same session. The combination of an unexpected remover and a high-privilege target group is the alert threshold.
How can removing someone from Domain Admins help an attacker?: If an attacker has already established their own persistent admin access (via a different account or mechanism), removing legitimate IT admins from Domain Admins means those IT staff cannot use AD management tools, cannot reset passwords on compromised accounts, cannot view all AD objects with admin rights, and cannot perform domain-level incident response actions. This buys the attacker more dwell time. It is most commonly observed in pre-ransomware staging — attackers lock out IT before deploying the payload so that the recovery window is extended.
What is the difference between Event ID 4729 and Event ID 4733?: Event 4729 covers global security groups — domain-wide groups like Domain Admins, Enterprise Admins, and custom global groups. A change here affects all systems in the domain. Event 4733 covers local security groups on individual machines — like the local Administrators group on a specific server. Both follow the same investigation logic, but 4729 has broader blast radius. Monitor 4729 first for high-priority groups; monitor 4733 for cross-machine patterns that indicate lateral movement staging.

Go deeper: the full Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Account Persistence — Backdoor Accounts and Unauthorized Group Changes guide →

See Event ID 4729 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member removed from global security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →