Why is Event ID 4732 firing and should I be concerned?

Event 4732 fires every time an account is added to a local security group on a Windows machine. It fires for legitimate operations too — adding a new employee to Remote Desktop Users, granting a contractor local admin for troubleshooting, or a software installer adding its service account to Performance Log Users. The concern threshold is: which group, which account was added, and who made the change. Administrators group addition from an unexpected account or outside a change window is high priority. Backup Operators addition is also critical — it grants the ability to bypass file permissions and read NTDS.dit, which is the domain password database.

Is being added to the local Administrators group always malicious?

No — adding accounts to local Administrators is routine for IT operations (helpdesk access, software installation, endpoint management). The malicious patterns are: addition of a domain account to local Administrators on multiple machines in quick succession (lateral movement staging), addition of a newly created account (correlate with 4720 within the same hour), addition from a non-admin account (Subject Account Name is not a known IT admin), or addition on servers and DCs where local admin membership should be tightly controlled. Always cross-reference with your change management tickets.

How can local Backup Operators group membership (Event ID 4732) lead to a domain compromise?

The Backup Operators group has SeBackupPrivilege and SeRestorePrivilege, which allow bypassing file system permissions for backup purposes. An attacker with Backup Operators membership can use this to copy NTDS.dit (the Active Directory database on a DC) and SYSTEM registry hive — which together contain all domain password hashes. Combined with tools like diskshadow or ntdsutil, Backup Operators membership on a DC is effectively equivalent to Domain Admin for credential extraction purposes. Alert on any 4732 for the Backup Operators group on domain controllers specifically.

What's the difference between Event ID 4728 and Event ID 4732?

Event 4728 fires when an account is added to a global security group (domain-level groups like Domain Admins, which apply across the entire domain). Event 4732 fires when an account is added to a local security group (machine-level groups like Administrators or Remote Desktop Users on a specific host). Both are persistence and privilege escalation indicators, but at different scopes: 4728 affects domain-wide access, 4732 affects single-machine access. An attacker targeting a specific high-value server (a file server, a jump host, a CA server) may use 4732 rather than 4728 to gain persistent access without touching domain-wide group memberships that are more heavily monitored.

Scan your Security and Sysmon logs·Detection guides

Event ID 4732Audit SuccessSecurityT1098

Windows Event ID 4732 — Member Added to Local Security Group

Logged when an account is added to a local security group on a Windows system. The most security-critical groups are local Administrators (full machine control), Backup Operators (file system bypass via SeBackupPrivilege), and Remote Desktop Users (RDP access). Unlike global group changes (4728), 4732 is machine-specific — but a pattern of 4732 events across multiple machines signals lateral movement preparation at scale.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Adding an account to local Administrators grants unrestricted control of that machine — the added account can install software, read all files, dump credentials from LSASS, and modify system configuration. Attackers use 4732 to establish persistent local admin access on high-value servers, even when their domain privileges are later revoked. Multiple 4732 events from the same account across different machines in quick succession is the lateral movement staging pattern — pre-positioning local admin access before executing the primary objective.

Key Fields

Group NameThe target local group. Critical: BUILTIN\Administrators (full machine control, LSASS access); Backup Operators (SeBackupPrivilege and SeRestorePrivilege — can read any file bypassing ACLs, including NTDS.dit on DCs); Remote Desktop Users (grants RDP access). Also review: Hyper-V Administrators, Remote Management Users (WinRM)

Member Account NameThe account being added — a domain account appearing in 4732 events across multiple machines is a lateral movement staging indicator

Subject Account NameWho performed the addition — should be a known local or domain admin, not a standard user or service account

Subject Logon IDSession that performed the change — correlate with 4624 to check logon type and source IP

Investigation Tips

1.Backup Operators on Domain Controllers: members get SeBackupPrivilege and SeRestorePrivilege, allowing them to read any file regardless of ACLs — including NTDS.dit. An attacker with Backup Operators membership on a DC can exfiltrate the full AD password database. Alert on Backup Operators additions on DCs with Administrators-level urgency.
2.Cross-machine pattern: same Member Account Name in 4732 events across 3+ hosts within a short window = lateral movement preparation. The attacker is staging local admin access ahead of their next action.
3.On domain-joined machines, local Administrators membership should be controlled by Group Policy (Restricted Groups or LGPO). A standalone 4732 addition not reflected in GPO is suspicious — it indicates a manual escalation attempt, even if overridden on next GPO refresh.
4.Remote Desktop Users addition: correlate with subsequent Type 10 logons (4624) from the same account — attacker establishing an RDP backdoor on the target machine.
5.Verify the Subject Account Name has legitimate authority to modify local groups. A standard domain user or service account performing this change is a privilege escalation indicator.

Seeing Event ID 4732 in your own logs? Upload an .evtx file — EventPeeker flags member added to local security group automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4728Member added to global group — domain-wide escalation companion

4720New account created — may precede group addition for backdoor persistence

4624Logon event — check for Type 10 RDP logons by newly added Remote Desktop Users

4672Special privileges at logon — confirms the added account exercised elevated rights

Frequently Asked Questions

Why is Event ID 4732 firing and should I be concerned?: Event 4732 fires every time an account is added to a local security group on a Windows machine. It fires for legitimate operations too — adding a new employee to Remote Desktop Users, granting a contractor local admin for troubleshooting, or a software installer adding its service account to Performance Log Users. The concern threshold is: which group, which account was added, and who made the change. Administrators group addition from an unexpected account or outside a change window is high priority. Backup Operators addition is also critical — it grants the ability to bypass file permissions and read NTDS.dit, which is the domain password database.
Is being added to the local Administrators group always malicious?: No — adding accounts to local Administrators is routine for IT operations (helpdesk access, software installation, endpoint management). The malicious patterns are: addition of a domain account to local Administrators on multiple machines in quick succession (lateral movement staging), addition of a newly created account (correlate with 4720 within the same hour), addition from a non-admin account (Subject Account Name is not a known IT admin), or addition on servers and DCs where local admin membership should be tightly controlled. Always cross-reference with your change management tickets.
How can local Backup Operators group membership (Event ID 4732) lead to a domain compromise?: The Backup Operators group has SeBackupPrivilege and SeRestorePrivilege, which allow bypassing file system permissions for backup purposes. An attacker with Backup Operators membership can use this to copy NTDS.dit (the Active Directory database on a DC) and SYSTEM registry hive — which together contain all domain password hashes. Combined with tools like diskshadow or ntdsutil, Backup Operators membership on a DC is effectively equivalent to Domain Admin for credential extraction purposes. Alert on any 4732 for the Backup Operators group on domain controllers specifically.
What's the difference between Event ID 4728 and Event ID 4732?: Event 4728 fires when an account is added to a global security group (domain-level groups like Domain Admins, which apply across the entire domain). Event 4732 fires when an account is added to a local security group (machine-level groups like Administrators or Remote Desktop Users on a specific host). Both are persistence and privilege escalation indicators, but at different scopes: 4728 affects domain-wide access, 4732 affects single-machine access. An attacker targeting a specific high-value server (a file server, a jump host, a CA server) may use 4732 rather than 4728 to gain persistent access without touching domain-wide group memberships that are more heavily monitored.

Go deeper: the full detection guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

View the full guide for Event ID 4732 →

See Event ID 4732 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects member added to local security group patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →