Event ID - 639

Event Id639
SourceSecurity
DescriptionSecurity Enabled Local Group Changed:

Target Account Name: <Target Account Name>
      Target Domain: <Target Domain>
      Target Account ID: <Target Account ID>
      Caller User Name: <Caller User Name>
      Caller Domain: <Caller Domain>
      Caller Logon ID: <Caller Logon ID>
      Privileges: <Privileges>      

Changed Attributes:
      Sam Account Name: <Sam Account Name>
      Sid History: <Sid History>     

Event InformationAccording to Microsoft:
Cause :
This event record indicates that a change (other than group membership) has been made to a local group. There is no Failure Audit form of this audit event record. Group changes can have security implications.
Resolution :
The person with administrative rights for the computer should check to make sure there are no security implications for the change.

-------------------------------------------------------------------------------------------------

Cause:
This event record indicates that a change (other than group membership) has been made to a local group. There is no Failure Audit form of this audit event record. Group changes can have security implications.
Reference LinksEvent ID 639 from Source Security

Alternate Event ID in Vista and Windows Server 2008 is 4735.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh