| Event Id | 637 |
| Source | Security |
| Description | Security Enabled Local Group Member Removed: Member Name: <Member Name> Member ID: <Member ID> Target Account Name: <Target Account Name> Target Domain: <Target Domain> Target Account ID: <Target Account ID> Caller User Name: <Caller User Name> Caller Domain: <Caller Domain> Caller Logon ID: <Caller Logon ID> Privileges: <Privileges> |
| Event Information | According to Microsoft: Cause : A user or group account was removed from a local security group on the computer or on the domain. 1)The Member Name field specifies the user or group account that was removed. 2)The Member ID field specifies the user's domain-qualified user name. 3)The Target Account Name and Target Domain fields specify the group from which the user was removed. 4)The Target Account ID is the security identifier (SID) of the user or group account that was removed. 5)The Caller User Name specifies the user removed the user or group account. 6)The Caller Logon ID specifies logon ID of the user who removed the user or group account. 7)The Privileges field for this event is usually empty. Resolution : Confirm that the group removal operaiton is in compliance with the security policy of your organization. ------------------------------------------------------------------------------------------------------ Cause: This event record indicates that a member has been removed from a local group. This event also occurs when a user account is deleted and removed from the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Removing members from groups can have security implications. This is especially true when a user is removed from the Administrator group. |
| Reference Links | Event ID 637 from Source Security Alternate Event ID in Vista and Windows Server 2008 is 4733. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.